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Summary 


A critical function in a fault-tolerant computer architecture is the synchronization of 
the redundant computing elements. One means of accomplishing this is for each com- 
puting element to maintain a local clock that is periodically synchronized with the other 
clocks in the system. The synchronization algorithm must include safeguards to ensure 
that failed components do not corrupt the behavior of good clocks. Reasoning about fault- 
tolerant clock synchronization is difficult because of the possibility of subtle interactions 
involving failed components. Therefore, mechanical proof systems are used to ensure that 
the verification of the synchronization system is correct. 

In 1987, Schneider (Tech. Rep. 87-859, Cornell Univ.) presented a general proof 
of correctness for several fault-tolerant clock synchronization algorithms. Subsequently, 
Shankar (NASA CR-4386) verified Schneider’s proof by using the mechanical proof sys- 
tem Ehdm. This proof ensures that any system satisfying its underlying assumptions will 
provide Byzantine fault-tolerant clock synchronization. This paper explores the utility of 
Shankar’s mechanization of Schneider’s theory for the verification of clock synchronization 
systems. 

In the course of this work, some limitations of Shankar’s mechanically verified the- 
ory were encountered. These limitations include one assumption that is too strong and 
also insufficient support for reasoning about recovery from transient faults. With minor 
modifications to the other assumptions, a mechanically checked proof is provided that 
eliminates the overly strong assumption. In addition, the revised theory allows for proven 
recovery from transient faults. 

Use of the revised theory is then illustrated with the verification of an abstract design 
of a fault-tolerant clock synchronization system. The fault-tolerant midpoint convergence 
function is proven with EHDM to satisfy the requirements of the theory. Then a design 
using this convergence function is shown to satisfy the remaining constraints. 
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Chapter 1 

Introduction 


At first glance, the development of fault-tolerant computer architectures does not ap- 
pear to be a difficult problem. Clearly, three computers should be sufficient to survive a 
single fault. A simple majority vote should mask any errors caused by a failed compo- 
nent. However, to determine when to vote, the computers must be synchronized. This 
synchronization is easy with a perfect clock that coordinates actions among the redundant 
computing elements. Unfortunately, clocks also fail. Thus, each redundant computing el- 
ement must maintain its own clock. No clock keeps perfect time; all drift with respect to 
some reference standard time. Similarly, clocks drift with respect to each other. Therefore, 
regular synchronization of the clocks of the redundant computing elements is necessary. 
An obvious algorithm for synchronizing clocks of three computers is for each to periodi- 
cally read the clocks of the other two and then set its own clock to equal the mid value 
of the three observed values. Intuitively, this algorithm should work, but consider what 
happens if one clock fails so that it behaves in an arbitrary fashion. The classic example 
is given by Lamport and Melliar-Smith (ref. 1). Suppose that the clock for computer A 
shows 1:00, the clock for computer B shows 2:00, and the clock for computer C has failed 
in such a way that when A reads C's clock it shows 0:00 and when B reads C’s clock it 
shows 3:00. Clearly, neither A nor B has a compelling reason to adjust its clock and they 
may continue to drift apart. The presentation of Lamport and Melliar-Smith continues 
with a formal statement of the clock synchronization problem and presents three verifier! 
solutions. Subsequently, a number of other solutions to problems related to clock syn- 
chronization were developed, including those in references 2 through 7. A survey of the 
various approaches is given by Ramanathan, Shin, and Butler (ref. 8). 

Schneider (ref. 9) recognized that the many approaches to clock synchronization can 
be presented as refinements of a single, verified paradigm. Shankar (ref. 10) provides 
a mechanical proof (using Ehdm (ref. 11)) that Schneider’s schema achieves Byzantine 
fault-tolerant clock synchronization, provided that 11 constraints are satisfied. (A failure 
that exhibits arbitrary or malicious behavior is called a Byzantine fault, in reference to the 
Byzantine Generals problem of Lamport, Shostak, and Pease (ref. 12).) One goal of this 
paper is to examine the utility of Shankar’s mechanically checked version of Schneider’s 
theory in the verification of a particular clock synchronization system. 



The field of fault-tolerant computing is replete with examples of intuitively correct 
approaches that were later shown to be insufficient. In one system, the design of the fault- 
tolerance mechanism was cited as a major contributor to the unreliability of the system 
(ref. 13). Because of the extreme level of reliability required for many fault-tolerant sys- 
tems, employing rigorous verification techniques is necessary. (An often quoted require- 
ment for critical systems employed for civil air transport is a probability of catastrophic 
failure less than 10 -9 for a 10-hour flight (ref. 14).) One such technique is the use of for- 
mal proof to establish that a design has certain properties. Additional certainty is gained 
by confirming the verification with a mechanical proof system, such as Ehdm. Another 
benefit of machine-checked proofs is that the underlying assumptions are made explicit to 
help to clearly define the necessary verification conditions. 

Shankar’s verification of Schneider’s protocol provides a trusted formal specification 
of a clock synchronization system. Many of the difficult aspects of the proof have been 
verified in a generic manner; all that is required to verify a synchronization system is to 
demonstrate that it meets the requirements of the general theory. This paper is a result 
of the first attempt to verify a design using Shankar’s machine-checked theory (ref. 10) . 
In the course of the verification, some difficulties were encountered with the underlying 
assumptions. The most significant problem was that one of the assumptions, bounded 
delay, was too strong. Bounded delay asserts that there is a bound on the elapsed time 
between synchronization events on any two good clocks. For some protocols, this property 
is the key required to maintain synchronization. The proof of bounded delay can be as 
difficult as the general synchronization property. This paper revises Shankar’s general 
theory by modifying the remaining constraints to enable a general proof of bounded delay. 

In an effort to demonstrate the applicability of formal proof techniques to the ver- 
ification of highly reliable systems, the Langley Research Center is currently involved in 
the development of a formally verified Reliable Computing Platform (RCP) for real-time 
digital flight control (refs. 15, 16, and 17). The fault-tolerant clock synchronization circuit 
is intended to be part of a verified hardware base for the RCP. The primary intent of 
the RCP is to provide a verified fault-tolerant system that is proven to recover from a 
bounded number of transient faults. The current model of the system assumes (among 
other things) that the clocks are synchronized within a bounded skew (ref. 16). The clock 
synchronization circuitry also should be able to recover from transient faults. Originally, 
the interactive convergence algorithm (ICA) of Lamport and Melliar-Smith (ref. 1) was 
to be the basis for the clock synchronization system, the primary reason being the exis- 
tence of a mechanical proof that the algorithm is correct (ref. 18). However, modifications 
to ICA to achieve transient-fault recovery are complicated. The fault-tolerant midpoint 
algorithm of Welch and Lynch (ref. 2) is more readily adapted to transient recovery. 

Even though the clock synchronization circuit was designed to recover from tran- 
sient faults, there was no support in the machine-checked theory for proven recovery from 
such failures. When the machine-checked theory was revised to remove the assumption of 
bounded delay, additional modifications were made to expand the theory to accommodate 
proven recovery from a bounded number of transient faults. 
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The synchronization circuit is designed to tolerate arbitrarily malicious permanent, 
intermittent, and transient hardware faults. A fault is defined as a physical perturbation 
altering the function implemented by a physical device. Intermittent faults are permanent 
physical defects that do not continuously alter the function of a device (e.g., a loose wire). 
A transient fault is caused by a one-shot, short-duration physical perturbation of a device 
(e.g., a cosmic ray or electromagnetic effect). This perturbation can result in any of the 
following situations: 

1. Permanent damage to the device 

2. No damage with a persistent error induced 

3. No damage with the system recovering from the erroneous state 

The first situation is classified as a permanent fault; the second and third are transient 
faults. A good design can eliminate the second situation by establishing a recovery path 
from all possible system states. Such a design is called self-stabilizing (ref. 19). Once the 
physical source of the fault is removed, the device can function correctly. The synchro- 
nization circuit is designed to automatically recover from a bounded number of transient 
failures. 


Most proofs of fault-tolerant clock synchronization algorithms are by induction on 
the number of synchronization intervals. Usually, the base case of the induction, the ini- 
tial skew, is assumed. The descriptions in references 1, 9, 10, and 18 all assume initial 
synchronization with no mention of how it is achieved. Others, including references 2, 4, 
6, and 20, address the issue of initial synchronization and give descriptions of how it is 
achieved in varying degrees of detail. In proving an implementation correct, the details 
of initial synchronization cannot be ignored. If the initialization scheme is robust enough, 
it can also serve as a recovery mechanism from multiple correlated transient failures (as 
noted in ref. 20). 

The chapters in this paper are arranged by decreasing generality. The most gen- 
eral results are presented first and are applicable to a number of designs. The use of the 
theory is then illustrated by application to a specific design. In Chapter 2, the defini- 
tions and constraints required by the general clock synchronization theory are presented. 
Chapter 3 presents the main revision made to Shankar’s theory, which is removing the 
assumption of bounded delay. Chapter 4 presents mechanically checked proofs that the 
fault-tolerant midpoint convergence function satisfies the constraints required by the the- 
ory. In Chapter 5, a hardware realization of a fault-tolerant clock synchronization circuit 
is introduced and shown to satisfy the remaining constraints of the theory. Finally in 
section 6, the mechanisms for achieving initial synchronization and transient recovery are 
presented. Modifications to the theory to support the transient recovery arguments are 
also presented. 

The information presented in this report was included in a thesis offered in partial 
fulfillment of the requirements for the Degree of Master of Science, The College of William 
and Mary in Virginia, Williamsburg, Virginia, 1992. 
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Chapter 2 

Clock Definitions 


A clock synchronization system ensures that the readings of two synchronized clocks 
differ by no more than a small amount 6 for all time t. In addition, a fault-tolerant 
collection of clocks should maintain synchrony, even if a limited number of clocks have 
failed. Figure 2.1 illustrates a possible four-clock system that is designed to tolerate 
the failure of no more than one clock. Each nonfaulty clock provides a synchronized 
time reference VC P to local processing element p. This reference is guaranteed to be 
approximately synchronized with the corresponding value on any other good clock in the 
system. This guarantee is provided by an internal physical clock PC p and a distributed 
fault-tolerant clock synchronization algorithm executing in each of the redundant channels. 
A generalized view of the algorithm employed is 

do forever { 

exchange clock values 
determine adjustment for this interval 
determine local time to apply correction 
when time, apply correction} 


A system that implements this algorithm and satisfies the definitions and conditions 
presented in this chapter possesses the following property (presented in (ref. 10)): 

Theorem 2.1 (bounded skew) For any two clocks p and q that are nonfaulty at 
time t , 

| vc p (t) - VC q (t ) I < 6 

In other words, the skew between good clocks is bounded by S. 

2.1 Notation 

A fault-tolerant clock synchronization system is composed of an interconnected collec- 
tion of physically isolated clocks. Each redundant clock incorporates a physical oscillator 
that marks passage of time. Each oscillator drifts with respect to real time by a small 
amount. Physical clocks derived from these oscillators similarly drift with respect to each 
other. Following reference 1, the discussion of clocks involves two views of time. Real time 
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corresponds to an assumed Newtonian time frame; clock time is the measurement of this 
time frame by some clock. Identifiers representing real-time quantities will be denoted by 
lower case letters, e.g., t,s: Var time. Here, t and s are variables (in the logical theory) of 
type time. A declaration without the keyword Var defines a constant, e.g., time defines 
the constant t t of type time. Typically, time is taken as ranging over the real numbers 
Clock time will be represented by upper case letters, e.g., T,S: Var Clocktime. Although 
Clocktime is often treated as ranging over the reals (refs. 2, 10, and 18), a physical realiza- 
tion of a clock marks time in discrete intervals. In this presentation Clocktime is assumed 
to range over the integers. The unit for both time and Clocktime is the tick. There are 
two sets of functions associated with the physical clocks 1 : functions mapping real time to 
clock time for each process p 2 


PCp : time — > Clocktime 
and functions mapping clock time to real time, 

pc p : Clocktime — > time 


Shankar s presentation includes only the mappings from time to Clocktime. The mappings from Clock 
time to t,me are added here because they are more natural representations for some of lie ^7 
(daiations of the form / : o -* d define a function / with domain a and range d. 
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The notation PC p {t) represents the reading of p’s physical clock at real time t and pc p {T) 
denotes the earliest real time that p’s clock reads T. By definition, PC p {pc p (T )) - or 
all T . In addition, we assume that pc p (PC p (t)) <t< pc p (PC p (t) + 1). 

The purpose of a clock synchronization algorithm is to make periodic adjustments to 
local clocks to keep a distributed collection of clocks within a bounded skew of each ot er. 
This periodic adjustment makes analysis difficult; therefore an interval clock abstraction 
is used in the proofs. Each process p has an infinite number of interval clocks associated 
with it, each of these is indexed by the number of intervals since the beginning of t e 
protocol. An interval corresponds to the elapsed time between adjustments to the virtua 
clock. These interval clocks are equivalent to adding an offset to the physical clock of a 
process. As with the physical clocks, they are characterized by two functions: IC l p : time 
Clocktime and icl : Clocktime -» time. If we let adj l p : Clocktime denote the cumulative 
adjustment made to a clock as of the ith interval, we get the following definitions for the 

ith interval clock: 

ICp{t) = PC p {t) + adjp 
iCp(T) = pc p (T — adjp) 

From these definitions, it is simple to show IC l p (ic l p {T)) = PC p {pc p {T - adj l p )) + adj l p = T 
for all T. Sometimes it is more useful to refer to the incremental adjustment ma e in a 
particular interval than to use a cumulative adjustment. By letting AD.J], = adj l p - ad Jp , 
we get the following equations relating successive interval clocks: 

IC l p +l (t) = ICp(t) + ADJp 
idp +l (T) = iPpiT - ADJ l p ) 


Clocktime, is defined in terms of the interval clocks by the 


* p <t <<‘ +1 ) 


A virtual clock, VC P : time 
equation 

VC p (t) = IC* p {t) ( t\ 

The symbol tl denotes the instant in real time that process p begins the ith interval clock. 
Notice that there is no mapping from Clocktime to time for the virtual clock because VC P 
is not necessarily monotonic; the inverse relation might not be a function for some syn- 
chronization protocols. The definition of VC p {t) from the equations for IC is illustrated 


in figure 2.2. 

Synchronization protocols provide a mechanism for processes to read each other s 
clocks. The adjustment is computed as a function of these readings. In Shankar’s presen- 
tation, the readings of remote clocks are captured in function © p • process — > Cloc time, 
where ® l+l {q) denotes process p's estimate of q's ith interval clock at real time t p 
(i e lP{t i+1 )). Each process executes the same (higher order) convergence function, 
cfn : (process, (process - Clocktime)) Clocktime, to determine the proper correction to 
apply 3 Shankar defines the cumulative adjustment in terms of the convergence function 

as follows: 


■'The domain of a higher order function can include functions. In this case, the second argument of cfn 
is itself a function with domain process and range Clocktime. 
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Figure 2.2: Determining VC p (t). 


fi+] 2 ±i + 3 

V l P l p 

Scale does not permit display of IC P as step function. 


«4?p +l = cfn(p, e;, +1 ) - PC p (t,p') 

adjp = 0 


The following can be simply derived from the preceding definitions: 

vc p {t«') = ic i p +x {t i + x ) = c/n(p,e;/ ') 

J<3 +1 (0 = cfn(p, 0p +1 ) + PC p (t) — PCp(t p +1 ) 

ADJp = cfn(p,e i p +1 ) - IC l p (t l p +l ) 

Using some of these equations and the conditions presented in section 2.2, Shankar mechan- 
ically verified Schneider’s paradigm. Chapter 3 presents a general argument for satisfying 
one of the assumptions of Shankar’s proof. The argument requires some modifications 
to Shankar’s constraints and introduces a few new assumptions; in addition, some of the 
existing constraints are rendered unnecessary. 

A new constant, R : Clocktime, is introduced which denotes the expected duration 
of a synchronization interval as measured by clock time. (That is, in the absence of drift 
and jitter, no correction is necessary for the clocks to remain synchronized. In this case, 
the duration of an interval is exactly R ticks.) We also introduce a collection of distin- 
guished clock times S l : Clocktime, such that S l = iR + S° and 5° is a particular clock 
time in the first synchronization interval. We also introduce the abbreviation sj, defined 


7 


as equal to The only constraints on S l are that, for each nonfaulty clock p and 

real times ti and ^ 

(VC p (t 0 = S l ) A (VC p (t 2 ) = s l ) D u = t 2 

and some real time t exists, such that 

vc p (t) = s l 

The rationale for these constraints is that we want to unambiguously define a clock time 
in each synchronization interval to simplify the arguments necessary to bound separation 
of good clocks. If we choose a clock time near the instant that an adjustment is applied, 
it is possible that the VC will never read that value because the clock has been adjusted 
ahead or that the value will be reached twice because of the clock being adjusted back. In 
reference 2, the chosen unambiguous event is the clock time that each good processor uses 
to initiate the exchange of clock values. For other algorithms, any clock time sufficiently 
removed from the time of the adjustment will suffice. A simple way to satisfy these 
constraints is to ensure that for all i, 

S l + ADJ l p < T ^ +1 < S i+l - ADJp 


where T^ +1 = IC l p (t l p +1 ). 

Table 2.1 summarizes the notation for the key elements required for a verified clock syn- 
chronization algorithm. Table 2.2 presents the many constants used in section 2.2. I hey 
are described when they are introduced in the text but are included here as a convenient 
reference. 


2.2 Conditions 

This section presents the assumptions required in the proof of theorem 2.1. The 
conditions can be separated into three main classes: abstract properties required of the 
convergence function, physical properties of the system, and various constraints on the 
length of the synchronization interval. Additional constraints are also determined by the 
proof of theorem 2.1. Some of these properties are taken directly from Shankar’s presenta- 
tion, whereas others are revised in order to facilitate verification of a clock synchronization 
system. Additional modifications are made to enable proofs of transient-fault recovery. 

2.2.1 Properties of Convergence Function 

Synchronization algorithms use a convergence function cfn(p, 0) to determine the ad- 
justment required to maintain synchrony. The general theory requires that the conver- 
gence function satisfy three properties: translation invariance, precision enhancement, 

and accuracy preservation. Shankar mechanically proves that the interactive conveigence 
function of Lamport and Melliar-Sinith (ref. 1) satisfies these three conditions. A mechan- 
ically checked proof that the fault-tolerant midpoint function used by Welch and Lynch 
(ref. 2) satisfies these conditions is presented in Chapter 4 and was previously reported 
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Table 2.1: Clock Notation 


Notation 

Definition 

PC p ( t) 

Reading of p’s physical clock at real time t 

pc p (T) 

Earliest real time that p’s physical clock reads T 

IC l p (t) 

Reading of p’s ith interval clock at real time t 

iCp(T) 

Earliest real time that p’s ith interval clock reads T 

VC p (t) 

Reading of p's virtual clock at time t, 

yo 

Clocktime at beginning of protocol (for all good clocks) 

^ri+l 

P 

Clocktime for VC P to switch from ith to (i + l)th interval clock 

<p 

Real time that processor p begins ith synchronization 
interval (t l p +] = ic^T” 1 )) 

R 

Clocktime duration of synchronization interval 

S° 

Special Clocktime in initial interval 

s l 

Unambiguous clock time in interval i; S' = iR + S {) 


Abbreviation for iPftS 1 ) 

adj p 

Cumulative adjustment to p’s physical clock up through t p 

adj; 

Abbreviation for adj p 1 - adj * 

©p +1 

Array of clock readings (local to p) such that ©),((/) is p’s 
reading of c/’s ith interval clock at l p 1 

cfn(p,e i p +l ) j 

Convergence function executed by p to establish UC ? , (/.);' 1 ) | 


Table 2.2: Constants 


Constant 

Definition 

6s : Clocktime 

Bound on skew at beginning of protocol 

6 : Clocktime 

Bound on skew for all time 

p : number 

Allowable drift rate for a good clock, 0 < p <C 1 

d f : time 

Maximum elapsed time from s', to s‘ q (p and q working) 

3 : time 

Maximum elapsed time from t p to t l q ( p and q working) 

Acad : time 

Maximum separation between s p and s l for p to 


accurately read q. ft < < R/2 

f min : time 

Minimum elapsed time from t' p to /),’ 1 for good p 

1'ma.x ■ time 

Maximum elapsed time from t' p to tft 1 for good p 

A : Clocktime 

Bound on error reading a remote clock 

A' : number 

Reformulated error bound for reading a remote clock 

(X ( 6' + 2A') : number 

Bound on AD.J p for good p and all i 
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in reference 21. Schneider presents proofs that a number of other protocols satisfy these 
properties in reference 9. The conditions in this section are unchanged from Shankar s 
presentation. 

The constraints on the convergence function assume a bound on the number of faults 
to be tolerated. This condition is stated here as condition 1; in Shankar’s presentation, 
this was condition 8 . 

Condition 1 (bounded faults) At any time t, the number of faulty processes is at 
most F. 


Translation invariance means that the value obtained by adding X : Clocktime to the 
result of the convergence function should be the same as adding X to each of the clock 
readings used in evaluating the convergence function. This was condition 9 in Shankar s 
presentation. The statement of this condition adapts notation from the lambda calculus. 
The symbol A is used to define an unnamed function. For example, Xx.x + 2 defines a 
function of one argument x that returns the sum of x and 2. For a detailed treatment of 
the lambda calculus, see reference 22 . 

Condition 2 (translation invariance) For any function 6 mapping clocks to clock 
values 

c/n(p, (An : 0(n) + X)) = c/n(p, 9) + X 


Precision enhancement is a formalization of the concept that, after executing the con- 
vergence function, the values of interest should be close together. Essentially, if the argu- 
ments presented to the convergence function are sufficiently similar, there is a bound on 
the difference of the results. In the proof of theorem 2.1, this condition ensures that if a 
large enough collection of good clocks is synchronized in one interval, then they will still 
be synchronized in the next. This was Shankar s condition 10. 

Condition 3 (precision enhancement) Given any subset C of the N clocks with 
Id > N - F and clocks p and q in C, then for any readings 7 and 6 satisfying the 
conditions 

1. For any l in C, | 7 (^) — 0(01 5s X 

2. For any l, m in C, | 7(0 - 7(™)l < Y 

3. For any l, m in C, \0{£) — @( m )\ 5s Y 
there is a bound tt(X, Y) such that 

|c/n(p, 7 ) — cfn(q,9)\ < tt(X,Y) 
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Accuracy preservation formalizes the notion that there should be a bound on the amount of 
correction applied in any synchronization interval. Accuracy preservation was condition 11 
in Shankar’s report. 

Condition 4 (accuracy preservation) Given any subset C of the N clocks with 
\C\ > N - F and clock readings 0 such that, for any l and m in C, the bound 
\0((.) - 9{m)\ < X holds, there is a bound a(X) such that for any p and q in C, 

I cfn{p,6) - 0{q)\ < «(AT) 


For some convergence functions, the properties of precision enhancement and accuracy 
preservation can be weakened to simplify arguments for recovery from transient faults. 
Precision enhancement can be satisfied by many convergence functions even if p and q are 
not in C . Similarly, accuracy preservation can often be satisfied even when p is not in C . 

2.2.2 Physical Properties 

Some of the conditions characterize the expected physical properties of the system. 
We rely on experimentation and engineering analysis to demonstrate these conditions. 


The rate at which a good clock can drift from real time is bounded by a small positive 
constant p. Typically, p < 10 -5 . 


Condition 5 (bounded drift) There is a nonnegative constant p such that if p ’s 
clock is nonfaulty during the interval from T to S(S > T ), then 

< pc p (S) - pc, p (T) < (1 + p){S - T) 


This condition replaces Shankar’s condition 2. This assumption is stronger than Shankar’s 
bound on drift, but the change is necessary to accommodate the integer representation of 
Clocktime. However, if the unit of time is taken to be a tick of Clocktime and Clocktime 
ranges over the integers, we can then derive the following bound on drift, which is sufficient 
for preserving Shankar s mechanical proof (with minor modifications): 


Corollary 5.1 If p’s clock is not faulty during the interval from t to s then, 

L(s - <)/(l + p) J < PC p {s) - PC p {t) < [(1 + p){s - <)] 

Note that with Shankar’s algebraic relations defining various components of clocks, we 
can use these constraints to bound the drift of any interval clock (ic l p ) for any i. 

The following corollary to bounded drift limits the amount two good clocks can drift 
with respect to each other during the interval from T to S. 
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Corollary 5.2 If clocks p and q are not faulty during the interval from T to S, 

| pc p (S) - pc,(S)| < | pc p (T) - pc q (T)\ + 2p(S - T) 

This corollary is used in bounding the amount of skew caused by drift during each syn- 
chronization interval. 

We can also derive an additional corollary (adapted from lemma 2 of ref. 2). 


Corollary 5.3 If clock p is not faulty during the interval from T to S, 

\(pc p (S) - S) - (pCp(T) - T ) | < p|5 - T\ 

This corollary recasts bounded drift into a form more useful for some proofs. A similar 
relation holds for PC. 


All clock synchronization protocols require each process to obtain an estimate of the 
clock values for other processes within the system. The determination of this estimate is 
called reading the remote clock, even if there is no direct means to observe its value. Typi- 
cally, some underlying communication protocol is employed which allows a fairly accurate 
estimate of other clocks in the system. Error in this estimate can be bounded but not 
eliminated. A discussion of different mechanisms for reading remote clocks can be found 
in Schneider (ref. 9). Shankar’s statement of the bound on reading error is as follows: 

Shankar’s Condition 7 (reading error) For nonfaulty clocks p and q, 

|/c*(<; +, )-e* +1 (<?)l < A 


This condition neglects an important point. In some protocols, the ability to accurately 
read another processor’s clock is dependent on the clocks being already sufficiently syn- 
chronized. Therefore, we add a precondition stating that the real-time separation of s l p 
and s l is bounded by some value of /? read - The precise value of ftead required to en- 
sure bounds on the reading error is determined by the implementation, but in all cases 
P> < p read < R/2. Another useful observation is that an estimate of the value of a remote 
clock is subject to two interpretations. It can be used to approximate the difference in 
Clocktime that two clocks show at an instant of real time, or it can be used to approximate 
the separation in real time that two clocks show the same Clocktime. 

Condition 6 (reading error) For nonfaulty clocks p and q, if |s p - s* q | < Aread, 

1. | IC\{t^) - % + \q)\ = |(B' +1 (9) - IC' p (t^)) - {IC\{t^) - ICW'))\ < A 

2. |(0; +1 (<?) - IC' p (P p +l )) - (ic] } (Tf +1 ) - ic\(T; +1 ))\ < A 

3. |(©£ +1 (?) - IC'pitp 1 )) - (fc l p (5 l ) - ic* (S*))| < A' 
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he first clause just restates the existing read error condition to illustrate that the read 
error can also be viewed as the error in an estimate of the difference in readings of Clock - 
time, that is, the estimate allows us to determine approximately another clock’s reading at 
a particular instant of time. The second clause recognizes that this difference can also be 
used to obtain an estimate of the time when a remote clock shows a particular Clocktime. 
For these relations, elements of type Clocktime and time are both treated as being of type 
number. Clocktime is a synonym for integer, which is a subtype of number, and time is a 
synonym for number. The third clause is the one used in this paper; it relates real-time 
separation of clocks when they read S l to the estimated difference when the correction 
is applied. A bound on this could be derived from the second clause, but it is likely 
that a tighter bound can be derived from the implementation. Since the guaranteed skew 
is derived, in part, from the read error, we wish this bound to be as tight as possible. 

For this reason, we add it as an assumption to be satisfied in the context of a particular 
implementation. 

2.2.3 Interval Constraints 

The conditions constraining the length of a synchronization interval are determined, 
in part, by the closeness of the initial synchronization. The following condition replaces 
Shankar’s condition 1: 


Condition 7 (bounded delay init) For nonfaulty processes p and q , 

I tp - t " q | <0'~ 2 p{S a - T°) 


A constraint similar to Shankar’s can be easily derived from this new condition by us- 
ing the constraint on clock drift. (Shankar’s condition 1 is an immediate consequence of 
lemma 2.1.1 in appendix A.) An immediate consequence of this and condition 5 is that 

K -.si; i < y. 

Shankar assumes a bound on the duration of the synchronization interval. 

Shankar’s Condition 3 (bounded interval) For nonfaulty clock p, 

0 < r mm < t 2 p +l — tp < 


The terms r min and r max are uninstantiated constants. In this formulation, a nominal 
duration (R) of an interval is assumed determined from the implementation. We set a 
lower bound on R by placing restrictions on the events S\ This restriction is done by 
bounding the amount of adjustment that a nonfaulty process can apply in any synchro- 
nization interval. In Chapter 3, the term «(/?' + 2A') is shown to bound | ADJ*\ for 
nonfaulty process p. The function a is introduced in condition 4, 0' is a bound on the 
separation of clocks at a particular Clocktime in each interval, and A' bounds the error in 
estimating the value of a remote clock. 
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Condition 8 (bounded interval) For nonfaulty clock p, 

S* + a{0 + 2A') < T; +1 < S i+l - a(0' + 2A') 

By remembering that = 1r + 5°, it is easy to see that R > 2a(/3' + 2A'). ^^bTwe 
can define r mm as (R - £*(/?' + 2A'))/(1 + p) and r max as (1 + p)(R + a(0 + 2A )). 


We need a condition to ensure that process q does not start its (i + l)th clock before 
process p starts its ith clock. The following condition is sufficient to meet this requirement, 
which is a simple restatement of Shankar’s condition 6, using the definition of r min from 
Shankar’s condition 3. 

Condition 9 (nonoverlap) 

; -«(/? + 2AQ 

P ~ 1 + p 


This condition essentially defines an additional constraint on R;^ namely, that R > 
(1 -I- p'jp -f ol{0' + 2A'), when 0 bounds the maximum separation of t l p and t q . 

2.2.4 Constraints on Skew 

Shankar assumes the following additional conditions for an algorithm to be verified in 
this theory. These additional constraints were determined in the course of his proof of 
theorem 2.1. 

1. 7t(2A 4- 20p, 6s + 2p(r max + 0) + 2A) < 8 S 

2. 8 s + 2pr max — $ 

3. a (6s + 2p(r max + 0) + 2A) + A + p0 < 8 

These conditions relate the skew 8 guaranteed by the theory with the properties of preci- 
sion enhancement and accuracy preservation. 

When Clocktime was changed to range over the integers, these conditions had to be 
modified. The bounds were altered to correspond to the revised version of bounded drift. 
Shankar’s version of bounded drift was converted to correspond to corollary 5.1. (This 
is stated as axioms rate.l and rate_2 in module clockassumptions (appendix A).) The 
mechanical proof was rerun and yielded the following constraints: 

1. tt([2A + 2 0p\ + Ms + \2p(r ma x + 0 ) + 2A 1 + !) < 

2 . 6s T [ 2 pr max\ T 1 — 8 

3. a(6 s + [2p(r TOax + 0) + 2A) + 1) + A + \2p0\ + 1 < 8 
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The arguments used are identical to those presented by Shankar. The only difference is 
that additional manipulations were needed with the floor and ceiling functions in order 
to complete the proof. Appendix A contains the proof chain analysis which confirms that 
these constraints are sufficient to prove theorem 2.1. 

Since p is typically very small (< 10~ 5 ), the above reworked constraints appear overly 
conservative. It is possible to prove theorem 2.1 by assuming the following: 

1- 4 pr max + 7r([2A' + 2J , [ft + 2A'j) < /?' 

2. [(1 + p)p + 2 pr max ] < 6 

3. ot{[p + 2A'J) + A + \2pS\ + 1 < 6 

A proof sketch can be found in appendix A. 

2.2.5 Unnecessary Conditions 

Two of the conditions presented in Shankar’s report were found to be unnecessary. 
Shankar and Schneider both assume the following conditions in their proofs: 

Shankar’s Condition 4 (bounded delay) For non faulty docks p and q. 

K - t l P \ < & 


The condition states that the elapsed time between two processes starting their zth in- 
terval clock is bounded. This property is closely related to the end result of the general 
theory (bounded skew) and should be derived in the context of an arbitrary algorithm. 

The related property for nonfaulty clocks p and q. 

is proven independently of the algorithm in Chapter 3. This gives sufficient information 
to prove bounded delay directly from the algorithm; however, this proof depends on the 

interpretation of T* +] . Two interpretations and their corresponding proofs are also given 
in Chapter 3. r 

The next condition states that all good clocks begin executing the protocol at the 
same instant of real time (and defines that time to be 0): 

Shankar’s Condition 5 (initial synchronization) For nonfaulty clock p, 

t° = 0 

L p u 


It is not possible to guarantee that all clocks start at the same instance of time; thus, 
no implementation can guarantee this property. This property is used, in conjunction 
with Shankar’s condition 1, to ensure the base case of the induction required to prove 
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theorem 2.1. By defining t® = ic° p (T°), we can readily prove the base case with condi- 
tions 5 and 7 Some constant clock time known to all good clocks is represented by 1 
(i.e„ T° is the clock time in the initial state). The definition of t° p states that all nonfaulty 
clocks start the protocol at the same Clocktime. 
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Chapter 3 

General Solution for Bounded 
Delay 


The condition of bounded delay asserts that any two nonfaulty clocks begin each syn- 
chronization interval at approximately the same real time. This property is nearly as 
strong as theorem 2.1. In fact, the result follows immediately for some synchronization 
protocols. This chapter establishes, for many synchronization protocols, that the condi- 
tion of bounded delay follows from the remaining conditions enumerated in Chapter 2. 

Schneider’s schema assumes that 


K-e q \<P 

for good clocks p and q, where t' p denotes the real time that clock p begins its ith interval 
clock (this is condition 4 in Shankar’s presentation). Anyone wishing to use the general- 
ized proof to verify the correctness of an implementation must prove that this property 
is satisfied by their implementation. For the algorithm presented in reference 2, this is a 
nontrivial proof. 

The difficulty stems, in part, from the inherent ambiguity in the interpretation of f l +* . 
Relating the event to a particular clock time is difficult because it serves as a crossover 
point between two interval clocks. The logical clock implemented by the algorithm 
undergoes an instantaneous shift in its representation of time. Thus the local clock read- 
ings surrounding the time of adjustment may show a particular clock time twice or never. 
The event <* +1 is determined by the algorithm to occur when IC l (<) = T i+X : that is, T l+l 
is the dock time for applying the adjustment AI).] l p = ( adj l p +i - adj l p ) P This also means 

that /p. ic M r p)- In an instantaneous adjustment algorithm there are at least two 
possibilities: 

1. T* +x = (i + 1 )R + T°, 

2. T* +l = (i + 1)R + T° - ADJi 

A more stable frame of reference is needed for bounding the separation of events. Welch 
and Lynch (ref. 2) exploit their mechanism for reading remote clocks to provide this frame 
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of reference. Every clock in the system sends a synchronization pulse when its virtual clock 
reads S i = iR + S°, where 5° denotes the first exchange of clock values. Let s l p be an 
abbreviation for ic^S*). If we ignore any implied interpretation of event s l p and just select 
values of S l which satisfy condition 8, we have sufficient information to prove bounded 
delay for an arbitrary algorithm. These results were previously presented in reference 23. 

3.1 Bounded Delay Offset 

The general proof follows closely an argument given in reference 2. The proof adapted 
is that of theorem 4 of reference 2, section 6. We wish to prove for good clocks p and q 

that 

\ti-t i q \<i3 

To establish this, we must first prove the following theorem: 

Theorem 3.1 (bounded delay offset) For nonfaulty clocks p and q and for i >0, 

(a) If i > 1, then \ ADJ l ~ l \ < ol((3' + 2A') 

(b) |4 - S *| < 

Proof: The proof of theorem 3.1 is by induction on i. The base case (z = 0) is trivial; 
part (a) is vacuously true and part (b) is a direct consequence of conditions 7 and 5. 

By assuming that parts (a) and (b) are true for i, we proceed by showing they hold 
for i I 1. 

To prove the induction step for theorem 3.1(a), we begin by recognizing that 
ADJ^ +l) ~ l = adj* +l - adjp = cfn{p,e i + l ) - IC l p (t l + l ) 

Because /Cl(t* +1 ) = 0* +1 (p) ( no error in readin 6 own clock )> we have an instance °f 
accuracy preservation: 

|c/n(p, 0p +1 ) - ©p +1 (p)l ^ 

All that is required is to show that + 2A' substituted for X satisfies the hypotheses of 
accuracy preservation. 

We need to establish that for good i , m, 

|e; + y)-e£ +1 Mi </?' + 2A' 

We know from the induction hypothesis that for good clocks p and q, 

By reading error and the induction hypothesis, we get for nonfaulty clocks p and q 

l(©p +1 (?) - ic i p {t; +l )) - (4 - 4)1 < a' 

■* Reca n that in this formulation, values of type time and Clocktime are both promoted to type number. 
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We proceed as follows: 


I©p + 1 W- 0 p + V)I 

= I( 0 p +1 (4 - + (IC' p (t' p + ') - IC l p (tp +1 )) 

+ («p - s p) + (4 - s$) + (s l m - s* m )| 

< 14 - s ml + l( 0 p +1 (4 - ic;(t^)) - (4 - 4)| 

+ l(e* +, (m)-/c'*(4+‘))-(sj ) -4)| 

< 0 + 2A' 

We get the last step by substituting t and m for p and q, respectively, in the induction 
hypothesis, then by using reading error twice, and by substituting first t for q and then 
m for q. 

The proof of the induction step for theorem 3.1(b) proceeds as follows. All supporting 
lemmas introduced in this section implicitly assume that theorems 3.1(a) and 3.1(b) are 
both true for i and that theorem 3.1(a) is true for i + 1. In the presentation of Welch and 

Lynch (ref. 2), they introduce a variant of precision enhancement. We restate it here in 
the context of the general protocol: 

Lemma 3.1.1 For good clocks p and q, 

K4 - 4) - ( AD Jp - ADJ \) I < tt(2A' + 2,/?' + 2A') 

Proof: We begin by recognizing that ADJ l p = cfn(p, (AT0£ +1 (f) - IC l p (t l p + 1 ))) (and sim- 
ilarly for ADJq). A simple rearrangement of the terms gives us 

1(4 - 4) ~ ( ADJ1 p ~ ADJ\)\ = \(ADP p - 4) - (ADP q - 4)| 

We would like to use translation invariance to help convert this to an instance of precision 
enhancement. However, translation invariance only applies to values of type Clocktime (a 
synonym for integer). We need to convert the real values s l p and 4 to integer values while 
preserving the inequality. We do this via the integer floor and ceiling functions. Without 
loss of generality, assume that (ADP p - s * p ) > ( ADJ * - 4). Thus, 

\( ADJi P -4) -(ADJi -4)1 

< K^4-L4J)-(^4-r4i)i 

= I cfn( P , (M.Q^(e) - /<4(4 +1 ) - [4])) 

- cHq , (Af.0j +1 (4 - IC' q (tl+ l ) ~ T41))I 
All that is required is to demonstrate that if 

(A£.0*+4o-/cx+VL4J) = a 
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and 


(xe.e^ie) - ic i q (t * +I ) - r<l) = e 

they satisfy the hypotheses of precision enhancement. 

We know from reading error and the induction hypothesis that 

|(@p +1 (^) - IC^ 1 )) - (4 - 4)1 < ^ 

To satisfy the first hypothesis of precision enhancement, we notice that 

I(a*.0‘ +1 (£) - /c*(4 +1 ) - Km - (A t©; + V) - IC l q {t^) - KDWI 

= |(©; +1 (^) - IC *(4 +1 ) - L4J) - ( 0 ; +1 W - IC IK +1 ) - KDI 
= I((©p +1 (4 - icHt? 1 )) - (L4J - 4)) 

-(( 0 q +1 (4 - ic' q (t\ +x )) - ([41 - 4))l 

< 2A' + 2 

Therefore, we can substitute 2A' + 2 for X to satisfy the first hypothesis of precision 
enhancement . 

To satisfy the second and third hypotheses, we proceed as follows (the argument pre- 
sented is for (AT0p +1 (£) - lC' p (ti +1 ) - L4J) = T)- We need a value of Y such that 

l(A^.©p +1 (£) - /c*(t; +1 ) - Kim - (A£.©* +1 (i) - icmK) - L4J)( m )l - y 

We know that 

KA*.eJ +1 (*) - jc*(£ +1 ) - L4J)(4 - W % +1 (4 - ic pK +1 ) - L4J)MI 

= |(e; +1 w - - L4J) - ( 0 P + V) - ic pK +1 ) - L4J)I 

= |0* +1 (O-©p +1 ( m )l 

The argument in theorem 3.1(a) shows that this value is bounded by /?' + 2A' which is the 
desired Y for the remaining hypotheses of precision enhancement. ■ 

Now we bound the separation of ic£ +1 (T) and ic* +1 (T) for all T. 

Lemma 3. 1.2 Fov good clocks p and Q and clock time T , 

| ic* +1 (T) - ic^ +1 (T) | < 2p(|T - 5*| + <*(/?' + 2A')) + 7r(2A' + 2 ,( 3 ' + 2A') 

Proof: The proof is taken verbatim (with the exception of notational differences) from 
reference 2, lemma 10. 

Note that 

ie» +1 (T) = K(T - ADJ *,) and ic? q +x {T) = iF q {T - ADJ\ ) 
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Now 


m +1 (r)-i4+ I (r)| 

< \ic' p (T - AD.r p ) - 4 - (T - AD,P p - 5 , )| 

+H(T - ADJ' q ) - 4 - (T - ADJ\ - S*)| 

+1(4 -4) ~( AD Jp ~ADJ\)\ 

The three terms are bounded separately. By corollary 5.3 of bounded drift (condi- 
tion 5), wo get 

|«4(T - ADr p ) - 4, — (T — ADJ\, - S') I 

< p|T — S' - ADJ p \ 

< p(\T — 5*| + a{0' + 2A')) 

from theorem 3.1(a) for i + 1. The second term is similarly bounded. Lemma 3.1.1 bounds 
the third term. Adding the bounds and simplifying gives the result. ■ 

This leads to the desired result: 

Lemma 3.1.3 For good clocks p and q , 

I4 +1 - 4 +1 1 ^ 2 P(R + <*{P' + 2A')) + tt(2A' + 2,0' + 2 A') < 0' 

Proof: This is simply an instance of lemma 3.1.2 with S i+l substituted for T. m 

This completes the pi oof of theorem 3.1. Algebraic manipulations on the inequality 

2p(R + a{0’ + 2A')) + 7t(2A' + 2,0' + 2A') < 0' 

give us an upper bound for R. 


3.2 Bounded Delay for Two- Algorithm Schemata 

We begin by noticing that both instantaneous adjustment schemata presented at the 
beginning of this chapter allow for a simple derivation of 0 that satisfies the condition of 
bounded delay (Shankar s condition 4). Notice that knowledge of the algorithm is required 
in order to fully establish this property. 

Theorem 3.2 (bounded delay) For nonfaulty clocks p,q employing either of the two 
instantaneous adjustment schemata presented, there is a 0 such that , 

14 - 41 < 0 

Proof: It is important to remember that t* +1 = ic^(Tf +x ) = ic l p +x (T* +] + ADJ l p ). 
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1. When T p +1 = (i + 1 )R + T°, let (3 — 2 p(R (5° T °)) + (3 

In this case, since T^ +1 = T l q +X = (i + 1 )R + T°, all that is required .is a simple 

application of corollary 5.2 and expanding the definition of S l \ that is, S l =iR + S . 

|t; +1 - f* +1 1 < |4 - s\\ + 2 p((i + 1 )R + T°- S') <(3’ + 2 p(R - (5° - T 0 )) 

2. When T^ +1 = (i + 1)R + T° - AD J‘ p , let (3 = (3’ - 2p{S° - T°) 

This case requires the observation that Tp +1 +ADJp = Tq +1 +ADJ q = ((i+l)R+T ). 
By substituting (i+l)/?+T° for T in lemma 3.1.2 and remembering that S l = iR+S°, 

we get 

1 1* +1 - i* +1 1 < 2p((R - (5° - T 0 )) + a(/3' + 2A')) + 7r(2A' + 2, (3' + 2A') 

We know that 

2p(R + c*(/3' + 2A')) - 2p(S° - T°) + tt(2A' + 2, 0' + 2A') < /?' - 2p(5° - T°) 

Simple algebra completes the proof of this case. 

Condition 7 establishes -f q \<(3 for both of these schemata. ■ 

This result has no impact on the proofs performed by Shankar. The only difference is 
that bounded delay is no longer an assumption. However, it is possible that some bounds 
and arguments can be improved. 

3.3 Ehdm Proofs of Bounded Delay 

The Ehdm (version 5.2) proofs and supporting definitions and axioms are in the mod- 
ules delay, delay2, delay3, and delay4. IAT^X-formatted listings of these modules are in 
appendix B. A slightly modified version of Shankar’s module clockassumptions is also 
included in appendix A for completeness. Some of the revised constraints presented in 
Chapter 2 are in module delay. The most difficult aspect of the proofs was determining a 
reasonable predicate to express nonfaulty clocks. Since we would like to express transient- 
fault recovery in the theory, it is necessary to avoid the axiom correct -dosed from Shankar s 
module clockassumptions. This axiom has not yet been removed from the general theory. 
None of the proofs of bounded delay offset depend on it, however. The notion of nonfaulty 
clocks is expressed by the following from module delay: 

correct-during: function[process, time, time — ► bool] = 

(\p,t,s : t < s A (V t\ : t < ti At\ < s D correct(p, U))) 
wpred: function [event — > function [process — *■ bool]] 
rpred: function [event — >• function [process — ► bool]] 
wvr.pred: function [event — » function[process > bool]] = 

(Xi : {Xp : wpred(i)(p) V rpred (i)(p))) 

wpred.ax: Axiom count(wpred(f), N) > N — F 

wpred -correct: Axiom wpred(i)(p) D correct _during(p, t p , t p +1 ) 
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wpred.preceding: Axiom wpred(i + 1 )(p) D wpred (i)(p) V rpred (i)(p) 
wpred_rpred .disjoint: Axiom ->(wpred(i)(p) A rpred(i)(p)) 
wprecLbridge: Axiom 

wvr_pred(z)(p) A correct.during(p, t l p + 1 ,t i + 2 ) D wpred (i + i)( p ) 

Also, module delay3 states the following axiom: 


recoveryjemma: Axiom 
delay.pred(j) A ADJ_pred(i + 1) 

Arpred(i)(p^ A correct _d u ri ng(p, **+' , t l p +2 ) A wpred (* + 1)(V / ) 


d k 


<ff 


1 T predlCate f defined ' w P red and rpred. Wpred is used to denote a working 

is ntt L d l n0t y and ^ in thC Pr ° Per State ' Rpred denotCB a process that 
s not faulty but has not yet recovered proper state information. Correct is a predicate 

stance f m w "r proof that states whether a clock is fault free at a particular in- 
stance of real time. Correct.during is used to denote correctness of a clock over an interval 

t°hatTr °;> r tO reaSOIi ab0ut transient recovery it is necessary to provide an rpred 

rnredm Tx e 7/ re atl T 0nS ^ PS ' ^ ^ d ° n0t plfU ' establish ing transient recovery, let 
P ( ) ( p . false). In this case, axioms recoveryjemma and wpred.rpred.disjoint are 

vacuous y rue, an the remaining axioms are analogous to Shankar’s correct .closed This 
reduces to a system in which the only correct clocks are those that have been so since the 
eginnmg of the protocol. I his is precisely what should be true if no recovery is possible. 

The restated property of bounded drift is captured by axioms RATE.l and RATE 2. 
le new constraints for bounded interval are rts.new.l and rts new 2. Bounded delay 
initialization is expressed by bnd.delay.init. The third clause of the new reading error is 
rea mg error3 The other two clauses are not used in this proof. An additional assump- 
tion not included in the constraints given in Chapter 2 is that there is no error in reading 
your own clock. This is captured by read. self. All these can be found in module delay 

addltlon ’ a fe w ^sumptions were included to define interrelationships of some of the 
constants required by the theory. 

The statement of theorem 3.1 is bnd.delay.offset in module delay2. The main step 
of the inductive proof for theorem 3.1(a) is captured by good .Readclock, which with ac- 
curacy preservation, was sufficient to establish bnd. delay offset.ind a. Theorem 3 1(b) 
is more involved Lemma delay.prec.enh in module delay2 is the machine-checked ver- 
sion o emma . .1. Module delay3 contains the remaining proofs for theorem 3 1(b) 
emma 3.T2 is presented as bound. future. The first two terms in the proof are bounded 

the proof 1 b ° Und futUrel; the third ’ h y de| ay-Prec_enh. Lemma bound.FIXTIME completes 


Module delay4 contains the proofs that each of the proposed substitutions for (i satisfy 
he condition of bounded delay. Option 1 is captured by optionl .bounded.delay, and op- 
tion 2 is expressed by option2_bounded_delay. The Ehdm proof chain status, demonstrating 
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that all proof obligations have been met, can also be found in appendix B. The task of 

substitution of reals for integers and arithmetic sign errois. 

Module new basics restates Shankar's condition 8 as rtsOmew and rtsl.new with the 
substitutions suggested in section 2.2.3 for r max and r mm . These substitutions are proven 
to bound t i+l - tl for each of the proposed algorithm schemata in mo u e rmax_rmin. 
The revised" statement of condition 9 can also be found in module new_bas.cs; it i ax- 
iom nonoverlap The modules new_basics and rmax_rm.n provide the foundations for a 
rchanicly checked version of the informal proof of theorem 2.1 given m appendix A. 


3.4 New Theory Obligations 

This revision to the theory leaves us with a set of conditions that are much easier 
to satisfy for a particular implementation. Establishing that an implementat.on ,» an 
instance of this extended theory requires the following obligations. 

1. Prove the properties of translation invariance, precision enhancement, and accuracy 
preservation for the chosen convergence function 

2. Derive bounds for reading error from the implementation (condition 6, clauses 1 
and 3) 

3 Solve the derived inequalities listed at the end of Chapter 2 with values determined 
' from the implementation and properties of the convergence function 

4. Satisfy the conditions of bounded interval and nonoverlap by using the derived 
values. 

5 Identify data structures in the implementation that correspond to the algebraic 
definitions of clocks; show that the structures used in the implementation satisfy 

definitions 

6. Show that the implementation correctly executes an instance of the following algo- 
rithm schema: 


i — 0 

do forever { 

exchange clock values 
determine adjustment for this interval 
determine T i+1 (local time to apply correction) 
when IC*(t) = T l+1 apply correction; * *- * + 1 } 


Provide a mechanism for establishing initial synchronization (|t° ^1 S P' 2 ^ 5 ° 

ens“rr.t 0' is as small as possible within the constraints of the aforemen- 

tioned inequalities 
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8. If the protocol does not behave in the manner of either instantaneous adjustment 
option presented, it will be necessary to use another means to establish Vi : If* —t i I < 
3 from Vi : \s l p - ,s^| < 3' P Q ~ 

Requirement I is established in Chapter 4; requirements 2, 3, 4, 5, and 6 are demonstrated 
for an abstract design in Chapter 5; and requirement 7 is established in Chapter 6. The 
inequalities used in satisfying requirement 3 are the ones developed in the course of this 
work, even though the proof has not yet been subjected to mechanical verification. The 
proof sketch in appendix A is sufficient for the current development. Requirement 8 is 
trivially satisfied because the design described herein uses one of the two verified schemata. 
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Chapter 4 

Fault-Tolerant Midpoint as an 
Instance of Schneider’s Schema 


The convergence function selected for the design described in Chapter 5 is the fault- 
tolerant midpoint used by Welch and Lynch in reference 2. The function consists of dis- 
carding the F largest and F smallest clock readings 5 , and then determining the midpoint 
of the range of the remaining readings. Its formal definition is 


c/hm/d(P) 0) 


0(F+ 1) + O(N-F) 

2 


where 0 (m) returns the mth largest element in 9. This formulation of the convergence 
function is different from that used in reference 2. A proof of equality between the two 
formulations is not needed because it is shown that this formulation satisfies the properties 
required by Schneider’s paradigm. For this function to make sense, we want the number 
of clocks in the system to be greater than twice the number of faults, N > 2F + 1. In 
order to complete the proofs, however, we need the stronger assumption that N > 3F + 1. 
Dolev Halpern, and Strong have proven that clock synchronization is impossible (without 
authentication) if there are fewer than 3F + 1 clocks. (See ref. 3.) Consider a system with 
3 f clocks If F clocks are faulty, then it is possible for two clusters of nonfaulty clocks 
to form, each of size F. Label the clusters C, and C 2 . Without loss of generality, assume 
that the clocks in C\ are faster than the clocks in C 2 . In addition, the remaining F clocks 
are faulty and are in cluster C F . If the clocks in C F behave in a manner such that they 
all appear to be fast to the clocks in C x and slow to the clocks in C 2 , clocks in each of the 
clusters will only use readings from other clocks within their own cluster. Nothing will 
prevent the two clusters from drifting farther apart. The one additional clock ensures that 
for any pair of good clocks, the ranges of the readings used in the convergence function 

overlap. 


This section presents proofs that cfriMioiP ,#) satisfies the properties required by 
Schneider’s theory. The Ehdm proofs are presented in appendix C and assume that a 
deterministic sorting algorithm arranges the array of clock readings. 


-’Remember that condition 1 defines F to be the maximum number of faults tolerated. 
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The Properties presented in this chapter are applicable for any clock synchronization 
protocol that employs the fault-tolerant, midpoint convergence function. All that is re- 
quired for a verified implementation is a proof that the function is correctly implemented 
and proofs that the other conditions have been satisfied. The weak forms of precision 
enhancement and accuracy preservation are used to simplify the arguments for transient 
recovery given in Chapter 6. 

4.1 Translation Invariance 

Recall that translation invariance states that the value obtained by adding Clocktime X 
to the result of the convergence function should be the same as adding X to each of the 
clock readings used in evaluating the convergence function. The condition is restated here 
for easy reference exactly as presented in Chapter 2. 

Condition 2 (translation invariance) For any function 6 mapping clocks to clock 
values , 

cfn(p , (An : 6(n) + X)) = cfn(p, 0) + X 


Translation invariance is evident by noticing that for all m 

{XI : 0(1) + X) (m) = + X 

and 


(0(F+ 1) + X) + (O(N-F) + X) 


0(F+ 1) + 0(N-F) 

2 

I 

2 


4.2 Precision Enhancement 

As mentioned in Chapter 2, precision enhancement is a formalization of the concept 
that, after executing the convergence function, the values of interest should be close to- 
gether. The proofs do not depend on p and q being in C; therefore, the precondition was 
removed for the following weakened restatement of precision enhancement: 

Condition 3 (precision enhancement) Given any subset C of the N clocks with 
\C\ > N F , then for any readings 7 and 6 satisfying the conditions 

1. For any l in C, |-y(/) - 0(1) \ < X 

2. For any l, m in C, \~f(l) - ^(m)\ < Y 

3. For any l, m in C, |0(i) - 6(m)\ < Y 
there is a bound n(X,Y) such that 

I cfn(p, 7 ) - cfn(q , 0)\ < *(X, Y) 
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Theorem 4.1 Precision enhancement is satisfied for cfnMio{p,'d) if 


7T(X,F) 


Y 

~2 


+ X 


One characteristic of cfn M i D (P , #) ^ that it is possible for it to use readings from faulty 
clocks If this occurs, we know that such readings are bounded by readings from good 
clocks. The next few lemmas establish this fact. To prove these lemmas, it was expedient 
to develop a pigeonhole principle. 

Lemma 4.1.1 (Pigeonhole Principle) If N is the number of clocks in the system and 
Ci and C 2 are subsets of these N clocks, 

|Ci| + \C 2 \>N + kD | Ci n C 2 | > k 

This principle greatly simplifies the existence proofs required to establish the next two 
lemmas. First, we establish that the values used in computing the convergence function 
are bounded by readings from good clocks. 

Lemma 4.1.2 Given any subset C of the N clocks with \C\ > N - F and any reading 9, 
there exist p,q 6 C such that 

9{p) > 9 (f+ l) an d O(N-F) - 9(q) 

Proof: By definition, |{p : 9{p) > 0 (F +i)}l > F+l (similarly, |{g : 9 {N _ F) > ^ll > 
F + 1). The conclusion follows immediately from the pigeonhole principle. ■ 

Now we introduce a lemma that allows us to relate values from two different readings 
to the same good clock. 

Lemma 4.1.3 Given any subset C of the N clocks with \C\ > N — F and readings 9 
and 7, there exist a, p € C such that 

9(p) > 0(jV-F) an d ^(F+i) — ^(p) 

Proof: With N > 3F + 1, we can apply the pigeonhole principle twice: first, to establish 
that |{p : 9(p) > O(n-F)} n C| > F + 1 and second, to establish the conclusion. ■ 

An immediate consequence of the preceding lemma is that the readings used in computing 
cfnM [ o(p, 9) bound a reading from a good clock. 

The next lemma introduces a useful fact for bounding the difference between good 
clock values from different readings. 

Lemma 4.1.4 Given any subset C of the N clocks and clock readings 0 and 7 such that 
for any l in C, the bound \ 9(1) - 7(/)| < X holds, for all p,q € C, 

9{p) > 9{q) A 7(g) > 7(p) D 1 9(p) - 7(g)| < X 
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Proof: By cases, 

1. If 6(p) > 7 (g), then \6(p) - 7(g) | < \Q(p) - 7( p )| < * 

2. If 9{p) < 7(g), then 1 8(p) - 7(g)| < \6{q) - 7(g)| < * . 

From this lemma, we can establish the following lemma: 

Lemma 4.15 Given any subset C of the. N clocks and dock endings t) and 7 such that 
for any l ,n C. the. bound 1 6(1) - 7(f)| < * holds, there exist p.geC such that 

@(p) > @(F+ 1) 

7 (?) ^ 7 (F+ 1) 

1 %) - ^'(</)| < x 

Proof: We know from lemma 4.1.2 that there are e C that satisfy the first two 

conjuncts of the conclusion. Three cases to consider are 

1. If 7(pi) > 7(g] ), let p = q = Pl 

2. If 0( qi ) > e{p y ), let p = q = g, 

3. Otherwise, we have satisfied the hypotheses for lemma 4.1.4; therefore, we let p = m 

and q = qi } 1 1 

Proof w-H° W t a ! >l0 to establish Precision enhancement for cfn MlD (p,d) (theorem 4.1). 
Proof. Without loss of generality, assume cfn MID ( Pn ) > cfn MrD ( q ,0) : 

\cfn MID (p, 7) - cfn MID (q , f))\ 


7 (F+l) + 7 (Af_F) 


+ 

+ 

> 

i 

2 

- 1 


L 2 J 


< 


Thus we need to show that 


P(^+l) T ^{N-F) (^(F+l) + — F)) 

2 


l 7 (F+l) + 7 (JV— F) - (0(F+1) + ^(TV-F))! <Y + 2X 


By choosing good clocks p, q from lemma 4.1.5, p\ from 
conjunct of lemma 4.1.2, we establish 


lemma 4.1.3, and q\ from the right 


l 7 (F+l) + 7 (tV-F) - (^(F+l) + 0(7V— F))l 

- I 7 (?) + 7 (Pl) - 0 ( P \) - 6>(g! )| 

= l 7 ($) + (0(p) - 0{p)) + 7( Pl ) - 0( Pl ) _ e{q x )\ 

< 1 0(p) - %]) I + |7(g) - 6{p ) I -f- |7(p, ) - <9(pi) | 

< Y + 2X 

(by hypotheses and lemma 4.1.5). 
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4.3 Accuracy Preservation 

Recall that occurs preservation formalizes the notion that there ahould be a 
on the amount of correction applied in any synchronization interval. The proof 
the weak form of accuracy preservation. The bound holds even if p is not in G. 


^HKiitionTTac^iracy preservation) Gwen any subset C of the N clocks, with 
| CM > N - F and clock readings 0 such that, for any l and m in , e ou 

_ 0(m)\ < X holds , there is a bound a(X) such that for any q in , 

| cfn(p,0) — 0(q)\ < ot(X) 


Theorem 4.2 Accuracy preservation is satisfied for cfn^i d{Pi@) if a (X) X 

Proof: Begin by selecting p, and „ using lemma 4.1.2. Clearly, #&..) > cfn MlD ( P,S) 
and cfnMloiPsO) > 9(<n). Two cases to consider are 

1. If 0(q) < cfn M i D {P,Q ), then I cfnMw(P,0) ~ %)l < l 0 (Pi) ~ - X 

2. If 9{q) > cfn M ID(jP, 0 ), then Wf^MIDip, 0 ) ~ Hq)\ < - 0 («)l ^ X * 


4.4 Ehdm Proofs of Convergence Properties 

This section presents the important details of the Ehdm proofs that cfnMloM 
satisfies the convergence properties. In general, the proofs closely follow the Pre^ntatmn 
given previously. The Ehdm modules used in this effort are given m appendix C. Support- 
ing proofs, including the Ehdm proof of the pigeonhole principle, are given in appen ix 

One underlying assumption for these proofs is that N > 3F + 1, which is a well- 
known requirement for systems to achieve Byzantine fault tolerance without requiring 
authentication (ref. 3). The statement of this assumption is axiom No^authenDcatmn m 
module ft_mid .assume. As an experiment, this assumption was 

The only proof corrupted was that of lemma good.between in module m.d3. This corre 
sponds to lemma 4.1.3. Lemma 4.1.3 is central to the proof of precision enhanccmen 
establishes that for any pair of nonfaulty clocks, there is at least one reading from the 
same good clock in the range of the readings selected for computation of the convergence 
function This prevents a scenario in which two or more clusters of good clocks conti 
to dTapart because the values used in the couvergence function fo, any two good docks 
are guaranteed to overlap. 

Another assumption added for this effort states that the array of clock readings can 
be sorted. Additionally, a few properties one would expect to be true of a sorted array 
were assumed. These additional properties used in the Ehdm proofs are (from module 

clocksort) 
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funsort^ax: Axiom 

i < j A j < N 3 #(funsort(tf)(i)) > tf(funsort(tf)(j)) 

funsort_trans_inv: Axiom 

k < N (t?(funsort( A q : i9(q) + A")(/c)) = i?(funsort(i?)(A;))) 

cnt_sort_geq: Axiom 

k < N D count(( A p : i?(p) > tf(funsort(tf)(A;))), iV) > A 

cnt-SortJeq: Axiom 

k < N D count(( A p : tf(funsort(i?)(A)) > i?(p)), jV) > A - fc + 1 

Appendix C contains the proof chain analysis for the three properties. The proof for 
translation invariance is in module mid, precision enhancement is in mid3, and accuracy 
preservation is in mid4. 

A number of lemmas were added to (and proven in) module countmod. The most 
important of these is the aforementioned pigeonhole principle. In addition, 
lemma count^complement was moved from Shankar’s module ica3 to countmod. Shankar’s 
complete proof was rerun after the changes to ensure that nothing was inadvertently de- 
stroyed. Basic manipulations involving the integer floor and ceiling functions are presented 
in module floor_ceil. In addition, the weakened versions of accuracy preservation and trans- 
lation invariance were added to module clockassumptions. The restatements are axioms 
accuracy_preservation_ recovery _ax and precision_enhancement_recovery_ax, respectively. The 
revised formulations imply the original formulation, but are more flexible for reasoning 
about recovery from transient faults because they do not require that the process eval- 
uating the convergence function be part of the collection of working clocks. The proofs 
that cfn M iD{p,0) satisfies these properties were performed with respect to the revised 
formulation. The original formulation of the convergence function properties is retained 
in the theory because not all convergence functions satisfy the weakened formulas. 

Chapter 5 presents a hardware design of a clock synchronization system that uses 
the fault-tolerant midpoint convergence function. The design is shown to satisfy the re- 
maining constraints of the theory. 
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Chapter 5 

Design of Clock Synchronization 
System 


This chapter describes a design of a fault-tolerant clock synchronization circuit that 
satisfies the constraints of the theory. This design assumes that the network of clocks 
is completely connected. Section 5.1 presents an informal description of the design, and 
section 5.2 demonstrates that the design meets requirements 2 through 6 from section 3.4. 


5.1 Description of Design 

As in other synchronization algorithms, this one consists of an infinite sequence of 
synchronization intervals i for each clock p ; each interval is of duration R + ADJ p . All 
good clocks are assumed to maintain an index of the current interval (a simple counter is 
sufficient, provided that all good channels start the counter in the same interval). Further- 
more, the assumption is made that the network of clocks contains a sufficient number of 
nonfaulty clocks and that the system is already synchronized. In other words, the design 
described in this chapter preserves the synchronization of the redundant clocks. The issue 
of achieving initial synchronization is addressed in Chapter 6. The major concern is when 
to begin the next interval; this consists of both determining the amount of the adjustment 
and when to apply it. For this, we require readings of the other clocks in the system and a 
suitable convergence function. As stated in Chapter 4, the selected convergence function 
is the fault-tolerant midpoint. 


In order to evaluate the convergence function to determine the (z + l)th interval clock, 
clock p needs an estimate of the other clocks when local time is T p f 1 . All clocks partici- 
pating in the protocol know to send a synchronization signal when they are Q ticks into 
the current interval; 1 * for example, when LC p (t) = Q, where LC is a counter measuring 
elapsed time since the beginning of the current interval. Our estimate, © p , of other 
clocks is 

% + Hq) = t ; +1 + (Q - Lc* p (t pq )) 


“This is actually a simplification for the purpose of presentation. Clock p sends its signal so that it will 
be received at the remote clock when LC' p (t) = Q 
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where t pq is the time when p recognizes the signal from q. The value Q - LC’ p (t pq ) gives 
the difference between when the local clock p expected the signal and when it observed 
a signal from q. The reading is taken in such a way that simply adding the value to the 
current local clock time gives an estimate of the other clock’s reading at that instant. It 
is not important that Q be near the end of the interval. For this system, we assume the 
drift rate p of a good clock is less than 10 this value corresponds to the drift rate of 
commercially available oscillators. By selecting R to be < 10 4 ticks (a synchronization 
interval of 1 msec for a 10-MHz clock), the maximum added error of 2pR < 0.2 caused by 
clock drift does not appreciably alter the quality of our estimate of a remote clock's value. 
In this system, p always receives a signal from itself when LC l p (t) = Q; therefore, no error 
is made in reading its own clock. 


Chapter 3 presents two options for determining when to apply the adjustment. This 
design employs the second option, namely that 

Tp +X = (i + 1)R + T° - ADJ l p 

Recalling that = ic' p (T;+ x ) = + ADJ l p ) makes it easy to determine from 

the algebraic clock definitions given in section 2.1 and the above expression, that 

c fnM I d(p, ©p +1 ) = IC^ +1 (t p +1 ) = (i + 1)R + T° 

Since T° = 0 in this design, we just need to ensure that cfn\] r n (p, @£ +1 ) = (i+ l ')R. Using 
translation invariance and this definition for (-)’,* 1 gives 

cfn MlD (p , (Ag.e£ +1 ( 9 ) - T; 41 )) = (i + 1 )R - T p +1 = AD.P p 
Since % +x {q) - T* +l = (Q - LC l p (t pg )), we have 


AD.r p = cfn MID (p, (A q(Q - LC l p {t pq )))) 

In Chapter 4, the fault-tolerant midpoint convergence function was defined as follows: 


c Mmid{p 1 0 ) 


^(F+l) + 0(N-F) 
2 


If we are able to select the (N — F )th and ( l" + l)th readings, computing this function 
in hardware consists of a simple addition followed by an arithmetic shift right,. 7 All that 
remains is to determine the appropriate readings to use. By assumption, there are a suf- 
ficient number ( N — F) of nonfaulty synchronized clocks participating in the protocol. 
Therefore, we know that we will observe at least N — F pulses during the synchronizat ion 
interval. Since Q is fixed and LC does not decrease during the interval, the readings 
(A qQ ~ LC p (t pq )) are sorted into decreasing order by arrival time. Suppose t pq is when the 
(F + l)th pulse is recognized, then Q - LC l p (t pq ) must be the (F + l)th largest reading. 
A similar argument applies to the ( N - F)th pulse arrival. A pulse counter gives us the 


'An arithmetic shift right of a two’s complement value preserves the sign hit and truncates the least 
significant hit. 
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1 2 JV — 1 N 



Figure 5.1: Informal block model of clock synchronization circuit. 


necessary information to select appropriate readings for the convergence function. Once 
JV — F pulses have been observed, both the magnitude and time of adjustment can be 
determined. At this point, the circuit just waits until LC' p (t) = R + ADJ p to begin the 
next interval. 

Figure 5.1 presents an informal block model of the clock synchronization circuit. The 
circuit consists of the following components: 8 

N pulse recognizers (only one pulse per clock is recognized in any given interval) 
Pulse counter (triggers events based on pulse arrivals) 

Local counter LC (measures elapsed time since beginning of current interval) 
Interval counter (contains the index i of the current interval) 

One adder for computing the value —(Q — LC p (t pq )) 

One register each for storing -0(f+i) and ~0(N-F) 

Adder for computing the sum of these two registers 
A divide-by-2 component (arithmetic shift right) 

The pulses are already sorted by arrival time, therefore, using a pulse counter is natural 
to select the time stamp of the (F + l)th and the ( N - F ) th pulses for the computation 

«In order to simplify the design, the circuit computes -ADJ], and then subtracts this value when 
applying the adjustment. Thus the readings captured are -9 rather than 9. 
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of the convergence function. As stated previously, all that is required is the difference 
between the local and remote clocks. Let 

0={\ q.Q?'{q)-T* +x ) 

When the (F + l)th (TV - F)th signal is observed, register -9 (F+1] (~0 (N _ F) ) is clocked, 
saving the value -(Q-LC p (t)). After N-F signals have been observed, the multiplexor se- 
lects the computed convergence function instead of Q. When LC' p {t)-(-cfn MID (p , ( 9 ))) = 
R, it is time to begin the (i + l)th interval. To do this, all that ^required is to increment i 

and reset LC to 0. The pulse recognizers, multiplexor select, and registers are also reset 
at this time. 


5.2 Theory Obligations 

The requirements referred to in this section are from the list presented in section 3.4. 
Since this design was developed, in part, from the algebraic definitions given in section 2.1, 
it is relatively easy to see that it meets the necessary definitions as specified by require^ 
merit 5. The interval clock is defined as follows: 

IC' p (t) = iR + LC' p (t) 

From the description of the design given, we know that 

IC' p + \t) = IC l p {t) + AD.P p 

with LC"{t) corresponding to PC p (t) as described in Chapter 2. The only distinction is 
that, m the implementation, LC is repeatedly reset. Even so, it is the primary mecha- 
nism for marking the passage of time. Clearly, this implementation of IC ensures that 
this design provides a correct VC. The time reference provided to the local processing 
elements is the pair ( i , LC l p (t)) with the expected interpretation that the current elapsed 
time since the beginning of the protocol is iR + LC l p (t). 

This circuit cycles through the following states: 


1. From LC p (t) - 0 until the (TV - Fjth pulse is received, it determines the readings 
needed for the convergence function 

2. It uses the readings to compute the adjustment ADJ l p 

3. When LC p (t) + ADJ p = /?, it, applies the correction by resetting for the next interval 

In parallel with this sequence of states, when LC' p {t) = Q, it transmits its synchro- 
nization signal to the other clocks in the system. This algorithm is clearly an instance 
of the general algorithm schema presented as requirement 6 (section 3.4). State 1, in 
conjunction with the transmission of the synchronization signal, implements the exchange 
of clock values. State 2 determines both the adjustment for this interval and the time of 
application. State 3 applies the correction at the appropriate time. 
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Requirement 2 demands a demonstration that the mechanism for exchanging clock 
values introduces at most a small error to the readings of a remote clock. The best that 
can be achieved in practice for the first clause of condition 6 is for A to equal 1 tick. 
The third clause, however, includes real-time separation and a possible value for A of 
approximately 0.5 tick. We assume these values for the remainder of this paper. A hard- 
ware realization of the above abstract design with estimates of reading error equivalent 
to these is presented in reference 24. These bounds have not been established formally 
Preliminary research, which may enable formal derivation of such bounds, can be found 

in reference 25. 

With these values for reading error, we can now solve the inequalities presented at the 
end of Chapter 2. The inequalities used for this presentation are those from the informa 
proof of theorem 2.1 given in appendix A. These inequalities are 

1. Apr max + tt([ 2A' + 2j , [ft + 2A'J ) < /3 


2. [(1 + p)P' + 2pr max \ < <5 

3. a([ft + 2A'J) + A + \2pf3] + 1<6 

For the first inequality, we need to find the smallest value of ft that satisfies the 
inequality. The bound ft can be represented as the sum of an integer and a real between 
0 and 1. Let the integer part be D and the real part be b. We know that pR < 0.1 and 
that r max is not significantly more than R. Therefore, we can let b - 4 pr max ~ 0.4 an 
reduce the inequality to the following form: 

7 r([ 2 A' + 2j , [ft + 2A']) < B 

The estimate for A' is w 0.5 < 1 -6/2, therefore with |2A' + 2J = 3 and [ft + 2A'J = B+l. 
Using the 7 r established for cfn M i D (pft) in Chapter 4 gives 

‘*±11 < B 
2 

The smallest value of B that satisfies this inequality is 7, therefore, the above circuit can 
maintain a value of ft that is « 7.4 ticks. By using this value in the second inequality, 
we see that 6 > 8. Because a is the identity function for cfn MID {pft) and A - 1, we get 
6>U ticks from the third inequality. The bound from the third inequality does not seem 
tight, but it is the best proven result we have. By using these numbers with a clock rate of 
10 MHz, this circuit will synchronize the redundant clocks to within about 1 psec. Since 
the frame length for most flight control systems is on the order of 50 msec, this circuit, 
provides tight synchronization with negligible overhead. 

All that remains in this chapter is to show that this design satisfies requirement 4. This 
consists of satisfying conditions 8 and 9. We know that a(ft + 2A') < 9 and that T = 0. 
We can satisfy condition 8 by selecting 5° such that 9 < S < R 9. Since ~ ’ 1S 

should be no problem. For simplicity, let 5° = Q. Also, since R » (1 + P)& + a (P ' + 2A )> 
condition 9 is easily met. Requirement 7, achieving initial synchronization, is addresse 

in the next chapter. 
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Chapter 6 

Initialization and Transient 
Recovery 


This chapter establishes that the design presented in Chapter 5 meets the one remain- 
ing requirement of the list given in section 3.4. This requirement is to satisfy condition 7. 
bounded delay initialization. Establishing this requirement in the absence of faults is suf- 
ficient because initialization is only required at system startup. A fault encountered at 
startup is not critical and can be remedied by repairing the failed component. However, 
a guaranteed automatic mechanism that establishes initial synchronization would provide 
a mechanism for recovery from correlated transient failures. Therefore, the arguments 
given foi initial synchronization attempt to address behavior in the presence of faults also. 
These arguments are still in an early stage of development and are therefore presented 
informally unlike the proofs in earlier chapters. 


Section 6.2 addresses guaranteed recovery from a bounded number of transient faults. 
The Eh DM theory presented in section 3.3 presents sufficient conditions to establish 
theorem 3.1 while recovering from transient faults. Section 6.2 restates these conditions 
and adds a few more that may be necessary to mechanically prove theorem 2.1 and still 
allow transient recovery. Section 6.2 also demonstrates that the design presented in Chap- 
ter a meets the requirements of these transient recovery conditions. 

A number of clock synchronization protocols include mechanisms to achieve initializa- 
tion and transient recovery. An implicit assumption in all these approaches is a diagnosis 
mechanism that triggers the initialization or recovery action. One goal of this design is 
that these functions happen automatically by virtue of the normal operation of the syn- 
chronization algorithm. It appears that the fault-tolerant midpoint cannot be modified to 
ensure automatic initialization. However, with slight modification, the fault-tolerant mid- 
point algorithm allows for automatic recovery from transient faults without a diagnostic 
action. 
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6.1 Initial Synchronization 

If we can get into a state that satisfies the requirements for precision enhancement 
(condition 3, repeated here for easy reference): 

Condition 3 (precision enhancement) Given any subset C of the N docks with 
|( 7 | > N - F and clocks p and q in C, then for any readings 7 and 9 satisfying the 
conditions 

1. For any l in C, | 7 (^) — 9{i)\ < X 

2. For any l , m in C, | 7 {t) — 7( m )l — ^ 

3. For any l, m in C, 1 0(£) — 9(m)\ < Y 
there is a bound 7 r(X, Y) such that 

\cfn(p, 7) ” c / n (<L 0)1 < ™{X,Y) 


where Y < Lftead + 2A'J and X = [2A' + 2j 9 , then a synchronization system using the 
design presented in Chapter 5 will converge to the point where |s° - s®\ < ft in approx- 
imately log 2 (y) intervals. Byzantine agreement is then required to establish a consis- 
tent interval counter. (For the purposes of this discussion, it is assumed that a verified 
mechanism for achieving Byzantine agreement exists. Examples of such mechanisms can 
be found in refs. 26 and 27.) The clocks must reach a state satisfying the above con- 
straints. Clearly, we would like /3 rea d to be as large as possible. To be conservative, we 
set /? rea d = (min(Q, R - Q) - a(\fl + 2A'J))/(1 + p). Figure 6.1 illustrates the relevant 
phases in a synchronization interval. If the clocks all transmit their synchronization pulses 
within /3 read of each other, the clock readings will satisfy the constraints listed above. By 
letting Q = Rf 2, we get the largest possible symmetric window for observing the other 
clocks. However, more appropriate settings for Q may exist. 


R - ADJ l p 


O 



Q — /3 re ad /3read /?read 

Figure 6.1: Key parts of synchronization interval. 


“This condition is satisfied when for p.q 6 C, |.sj, - < d rea d- Durin S initialization, i 0. 
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6.1.1 Mechanisms for Initialization 

In order to ensure that we reach a state that satisfies these requirements, it is necessary 
to identify possible states that violate these requirements. Such states would happen 
because of the behavior of clocks prior to the time that enough good clocks are running. 
In previous cases, we knew we had a set C of good clocks with \C\ > N - F. This means 
a sufficient number of clock readings were available to resolve 0 (F+]) and 0 [N _ F) . This 
may not be true during initialization. We need to determine a course of action when we 
do not observe N - F clocks. Two plausible options are as follows: 

Assumed perfection pretend all clocks are observed to be in perfect synchrony 

End of interval pretend that unobserved clocks are observed at the end of the syn- 
chronization interval; i.e., LC' p (t pq ) - Q = R - Q; compute the correction based on 
this value 

The first option is simple to implement because no correction is necessary. When LC = R 
set both i and LC to 0, and reset the circuit for the next interval. To implement the second 
option, perform the following action when LC = R: if fewer than N-F (F+ I) signals are 
observed, then enable register -0 {N _ F) (~0 {F+ 1} ). This causes the unobserved readings to 
be ( R Q) which is equivalent to observing the pulse at the end of an interval of duration R. 

We discuss these two possibilities with respect to a four-clock system. The argu- 
ments for the general case are similar, but are combinatorially more complicated. We 
only consider cases in which at least one pair of clocks is separated by more than . 
Otherwise, the conditions enumerated would be satisfied. 

6. 1.1.1 Assumed Perfection 

For assumed perfection, all operational clocks transmit their pulse within (1 + p)R/2 
of every other operational clock. We present one scenario consisting of four nonfaulty 
clocks to demonstrate that this approach does not work. At least one pair of clocks is 
separated by more than /? rea d- A real implementation needs a certain amount of time to 
reset for the next interval; therefore, there is a short period of time z at the end of an 
interval where signals will be missed. This enables a pathological case that can prevent 
a clock from participating in the protocol, even if no faults are present. If two clocks 
are separated by (R — Q) - z, only one of the two clocks is able to read the other. If 
additional clocks that are synchronous with the hidden clock are added, they too will be 
hidden. Figure 6.2 illustrates a four-clock system caught in this pathological scenario. 
The scale is exaggerated to clearly depict the window 2 in which signals from other clocks 
cannot be observed. Typically, this window is quite small with respect to the length 
of the synchronization interval. In this figure, clock a never sees the other clocks in 
the system, and therefore remains unsynchronized, even though it is not faulty. There 
are a number of options for remedying this deficiency, but all result in more difficult 
arguments for demonstrating recovery from transient faults. The presence of this window 
of invisibility is unfortunate, because it invalidates a simple probabilistic proof that this 
approach guarantees initial synchronization. Although the illustration shows Q = R/2. a 
similar pathological scenario exists for any setting of Q. 
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VC a 


VC b 


VC r 


vc d 


Figure 6.2: Pathological scenario — assumed perfection. 


6. 1.1. 2 End of Interval 

The end of interval approach is an attempt to avoid the pathological case illustrated 
in figure 6.2. We begin by considering the cases where only two clocks are actively partic- 
ipating. Assume for the sake of this discussion that Q = R / 2 (to maximize A-ead)- There 
are two possibilities— the synchronization pulses are either separated by more than R/2 
or less than R/2. The two cases are illustrated in figure 6.3. In case 1, each clock com- 
putes the maximum adjustment of R/2 and transmits a pulse every 3R/2 ticks. In case 2, 
VC b computes an adjustment of R / 4 and transmits a pulse every bR/4 ticks, whereas 
VC a computes an adjustment between Rj 4 and R/2 and converges to a point where it 
transmits a pulse every 5A/4 ticks and is synchronized with VC b . If we add a third clock 
to case 1, it must be within R/2 of at least one of the two clocks. If it is within R/2 of 
both it will pull the two clocks together quickly. Otherwise, the pair within R/2 of each 
other will act as if they are the only two clocks in the system and will converge to each 
other in the manner of case 2. Since two clocks have an interval length of 5f?/4, and the 
third has an interval length of 3i?/2, the three clocks will shortly reach a point where they 
are within Acad of each other. This argument also covers the case where we add a third 
clock to case 2. Once the three nonfaulty clocks are synchronized, we can add a fourth 
clock and use the transient recovery arguments presented in section 6.2 to ensure that it 
joins the ensemble of clocks. This provides us with a sound mechanism to ensure initial 
synchronization in the absence of failed clocks; we just power the clocks m order with 
enough elapsed time between clocks to ensure that they have stabilized. This mechanism 
is sufficient to satisfy the initialization requirement but does not address reinitialization 
due to the occurrence of correlated transient failures. 


Unfortunately, if we begin with four clocks participating in the initialization scheme, 
a pathological scenario arises. This scenario is illustrated in figure 6.4. Clocks VC a and 
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V Cb are synchronized with each other in the manner of case 2 of figure 6.3: likewise. VC c 
and V C d are synchronized. The two pairs are not synchronized with each other. This 
illustrates that even with no faulty clocks, the system may converge to a 2-2 split: two 
pairs synchronized with each other hut not with the other pair. Once again, values for Q 
other than Rf 2 were explored; in each case a 2-2 split was discovered. The next section 
proposes a means to avoid this pathological case, while preserving the existing means for 
achieving initial synchronization and transient recovery. 



ADJ ■ *- 


m/2 


A 



Case 1: |,s a - * 6 | > Rf 2 

^ A ^ 1 ^ 


57?/4 ► 

i . | — | 

1 

3 i 1 

4 ^ 


Case 2: |.s„ - s h \ < R/2 
Figure 6.3: End of interval initialization. 


6. 1.1. 3 End of Interval — Time-Out 

Inspection of figure 6.4 suggests that if any of the clocks were to arbitrarily decide not 
to compute any adjustment, the immediately following interval would have a collection of 
three clocks within of each other, as shown in figure 6.5. When clock b decides not 
to compute any adjustment, it shifts to a point where its pulse is within d r ,. a(i of a and d. 
Here the algorithm takes over, and the three values converge. Figure 6.5 illustrates the 
fault-free case. If a were faulty, it could delay convergence by at most log 2 (/? r( ,. ul ). Clock a 
is also brought into the fold because of the transient recovery process. This process is 
explained in more detail in section 6.2. All that remains is to provide a means for the 
( locks not to apply any adjustment when such action is necessary. 

Suppose each clock maintains a count of the number of elapsed intervals since it has 
observed N — F pulses. When this count reaches 8, for example, it is reasonably safe 
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to assume that either fewer than N — F clocks are active or the system is caught in the 
pathological scenario illustrated in figure 6.4. In either case, choosing to apply no correc- 
tion for one interval does no harm. Once this time-out expires, it is important to reset 
the counter and switch back immediately to the end of interval mode. This prevents the 
system from falling into the pathological situation presented in figure 6.2. 

Now that we have a consistent mechanism for automatically initializing a collection 
oi good clocks, we need to explore how a faulty clock could affect this procedure. First 
we note that figure 6.4 shows the only possible pathological scenario. Consider that an 
ensemble of unsynchronized clocks must have at least one pair separated by more than 
' read ’ otherwise the properties of precision enhancement force the system to synchronize, 
n a collection of three clocks, at least one pair must be within & ead ; figure 6.3 shows that 
in the absence of other readings, a pair within will synchronize to each other. The 
on y way a fourth clock can be added to prevent system convergence is the pathological 
case m figure 6.4. If this fourth clock is fault free, the time-out mechanism will ensure 
convergence. Two questions remain: can a faulty clock prevent the time-out from expir- 
ing, and can a faulty clock prevent synchronization if a time-out occurs. We address the 
former first. 


Recall from the description of the design that, in any synchronization interval, each 
clock recognizes at most one signal from any other clock in the system. The only means 
to prevent a time-out is for each nonfaulty clock to observe three pulses in an interval, 
at least once every eight intervals. In figure 6.6, d is faulty in such a manner that it will 
e observed by a. b, and c without significantly altering their computed corrections. This 
fault is considered benign because d is regularly transmitting a synchronization pulse that 
is visible to all the other clocks in the system. Clock d is considered faulty because it is 
not correctly responding to the signals that it observes. Clock c is not visible to either a 
or b, and neither of these is visible to c. Neither a nor b will reach a time-out, because 
they see three signals in every interval. However, except for very rare circumstances, 
c wi eventually execute a time-out, and the procedure illustrated in figure 6.5 will cause 
a, o, and c to synchronize. 


There is one unlikely scenario when Q = R/2 in which the good clocks fail to converge 
It requires c to observe a at the end of its interval, with neither a nor b observing c Only 
one of the symmetric cases is presented here. This is only possible if c and a are separated 
b> precisely R/2 ticks. Even then, o will more likely see c than the other way around 
This tendency can be exaggerated by setting Q to be slightly more than R/2. ensuring 
that a will see c first. If a observes c, the effect will be the same as if it had a time-out. 
Since a is synchronized with b, observing c at the beginning of the interval will cause the 
proper correction to be 0, and the system will synchronize. 


e only remaining question is whether a faulty clock can prevent the others from 
converging if a time-out occurs. Unfortunately, a fault can exhibit sufficiently malicious 
behavior to prevent initialization. We begin by looking back at figure 6.5. If a is faultv 
and a time-out occurs for b, then b , c, and d will synchronize. If, on the other hand, d 
is faulty, we do not get a collection of good clocks within (3 Tead . A possible scenario is 
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Figure 6.6: End of interval initialization: d faulty— benign. 
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Figure 6.7: End of interval initialization: d faulty -malicious. 


shown in figure 6.7, where d prevents a from synchronizing and also causes the time-out 
for a to reset. At some point, d also sends a pulse at the end of an interval to either b 
or c to ensure that just one of them has a time-out. The process can then be * repea e , 
preventing the collection of good clocks from ever becoming synchronized. This fault is 
malicious because the behavior of d appears different to each of the other clocks in th 

system. 
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The attempt for a fully automatic initialization scheme has fallen short. A sound 
mechanism exists for initializing the clocks in the absence of any failures. Also, if a clock 
fails passive, the remaining clocks will be able to synchronize. Unfortunately, the technique 
is not robust enough to ensure initialization in the presence of malicious failures. 

6.1.2 Comparison With Other Approaches 

The argument that the clocks converge within log 2 (/? rrad ) intervals is adapted from that 
given by Welch and Lynch (ref. 2). However, the approach given here for achieving initial 
synchronization differs from most methods in that first the interval clocks are synchronized, 
and then an index is decided on for the current interval. Techniques in references 2, 4 
and 6 all depend on the good clocks knowing that they wish to initialize. Agreement is 
reached among the clocks wishing to join, and then the initialization protocol begins. It 
seems that this standard approach is necessary to ensure initialization in the presence of 
malicious faults. The approach taken here is similar to that mentioned in reference 20; 
however, details of that approach are not given. 


6.2 Transient Recovery 

The argument for transient recovery capabilities hinges on the following observation: 

As long as there is power to the circuit and no faults are present, the circuit 
will execute the algorithm. 

W ith the fact that the algorithm executes continually and that pulses can be observed dur- 
ing the entire synchronization interval, we can establish that up to F transiently affected 
channels will automatically reintegrate themselves into the set of good channels. 

6.2.1 Theory Considerations 

A number of axioms were added to the Ehdm clock synchronization theory to provide 
sufficient conditions to establish transient recovery. Current theory provides an uninstan- 
tiated predicate rpred that must imply certain properties. To formally establish transient 
recovery, it is sufficient to identify an appropriate rpred for the given design and then show 
that a clock will eventually satisfy rpred if affected by a transient fault (provided that 
enough clocks were unaffected). The task is considerably simplified if the convergence 
function satisfies the recovery variants of precision enhancement and accuracy preserva- 
tion. In Chapter 4, it was shown that the fault-tolerant midpoint function satisfies those 
conditions. The current requirements for rpred are the following: 

1. From module delay3 

recoveryJemma: Axiom 
delay _pred(z) A ADJ_pred(i + 1) 

A rpred(i)(p) A correct_during(p, t* +1 , U+ 2 ) a wpred(i + 1 )(q) 

D |s* +1 - s l q +] | < /?' 

2. From module new^basics 

delay recovery: Axiom 

rpred(f)(/>) A wvr_pred(f)(< 7 ) 3 |fp +1 - f' +1 | < 0 
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3. From module rmax.rm in— 

ADJ.recovery: Axiom optionl A rpred(i)(p) D \ADJ p \ < <*(|_5 + * J) 

4. From module delay — 

wpred.preceding: Axiom wpred(f + l)(p) D wpred (i)(p) V rpred(z)(p) 
wpred .rpred.disjoint: Axiom -i (wpred (i)(p) A rpred(*)(p)) 
wpred -bridge: Axiom 

wvr_pred(i)(p) A correct.during (p, t* +1 , tj +2 ) D wpred(i + l)(p) 

The conditions from module delay define wpred; they ensure that a clock is considered 
working only if it was working or recovered in the previous interval. They were previ- 
ously discussed in section 3.3. Arguments for transient recovery hinge on the first three 
constraints presented. In Chapter 3, two options were presented for determining when to 
apply the adjustment. These options are 

1. T£ +1 = (i + l)R + T° 

2. Tjj +1 = (i + l)R + T° - ADJ l p 

Since the design presented in Chapter 5 uses the second option, the arguments for tran- 
sient recovery are specific to that case. The argument for this option depends primarily 
on satisfying axiom recovery -lemma. 

Axiom recovery Jemma is used in the inductive step of the machine- checked proof of 
theorem 3.1. To prove recovery .lemma, it is sufficient for rpred(i)(p) to equal the following: 

correct_during(p, s p , tp +1 ) 
wpred(i)(<?) D |Sp — Sg| < Z^read 
-iwpred(i)(p) 

Using arguments similar to the proof of theorem 3.1, we can then establish that 

\ADJ p \ < a(/? re ad + 2A') 

|j c »+i (T) - ic* +1 (T) | < 2p(\T - 5 l | + a(/3 r ead + 2A')) + ' 7r (2A' + 2, 0' + 2A ) 

The second of these is made possible by using the recovery version of precision en- 
hancement. Since p > Aprmax + *(2A' + 2,(3' + 2A'), all that remains is to establish 
that 2p(|5* +1 - 5*| + «(3 read + 2A')) < 4 pr max . Since /3 rea d < R/2 and a is the identity 
function, this relation is easily established. Axiom delay .recovery is easily established lor 
implementations by using the second algorithm schema presented in Chapter 3. Because 
T* +1 + ADJ 1 ={i + 1 )R + T° and t^ +l = fc ^ +1 (( i + 1 )R + T°), all that is required is to 
substitute (i + 1)5 + T° for T in item 2. Since the two options are mutually exclusive and 
the design employs the second, axiom ADJ .recovery is trivially satisfied. 
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6.2.2 Satisfying rpred 

The only modification required to the design is that the synchronization signals include 
the sender s value for i (the index for the current synchronization interval). By virtue of 
the maintenance algorithm, the N - F good clocks are synchronized within a bounded 
skew 6 <C R. A simple majority vote restores the index of the recovering clock. If the 
recovering clock s pulse is within /3 rea(1 of the collection of good clocks, rpred is satisfied. 
If not, we need to ensure that a recovering clock will always shift to a point where it is 
within /3 rea( j of the collection of good clocks. 

The argument for satisfying rpred is given for a four-clock system; the argument for 
the general case requires an additional time-out mechanism to avoid pathological cases. 
Consider the first full synchronization interval in which the recovering clock is not faulty. 
In a window of duration R , it will obtain readings of the good clocks in the system. If 
the three readings are within 6 of each other, the recovering clock will use two of the 
three readings to compute the convergence function, restore the index via a majority vote, 
and will be completely recovered for the next interval. It is possible, however, that the 
pulses from the good clocks align closely with the edge of the synchronization interval. The 
recovering clock may see one or two clocks in the beginning of the interval and read the rest 
at the end. It is important to be using the end of interval method for resolving the absence 
of pulses. By using the end of interval method, it is guaranteed that some adjustment 
will be computed in every interval. If two pulses are observed near the beginning of the 
interval, the current interval will be shortened by no more than R — Q. If only one clock is 
observed in the beginning of the interval, then either two clocks will be observed at the end 
of the interval or the circuit will pretend they were observed. In either case, the interval 
will be lengthened by (R — Q)/2. It is guaranteed that in the next interval the recovering 
clock will be separated from the good clocks by k(R-Q)/ 2. Since {R-Q)J 2 < /? read , the 
requirements of rpred have been satisfied. It is important to recognize that this argument 
does not depend on the particular value chosen for Q. This gives greater flexibility for 
manipulating the design to meet other desired properties. 

6.2.3 Comparison With Other Approaches 

A number of other fault-tolerant clock synchronization protocols allow for restoration 
of a lost clock. The approach taken here is very similar to the one proposed by Welch and 
Lynch (ref. 2). They propose that when a process awakens, it observes incoming messages 
until it can determine which round is underway and then waits sufficiently long to ensure 
that it has seen all valid messages in that round. It then computes the necessary correction 
to become synchronized. Srikanth and Toueg (ref. 6) use a similar approach modified to 
the context of their algorithm. Halpern et al. (ref. 4) suggest a rather complicated protocol 
which requires explicit cooperation of other clocks in the system. All these approaches 
have the common theme, namely, that the joining clock knows that it wants to join. This 
implies the presence of some diagnostic logic or time-out mechanism that triggers the 
recovery process. The approach suggested here happens automatically. By virtue of the 
algorithm s execution in dedicated hardware, there is no need to awaken a process to 
participate in the protocol. The main idea is for the recovering process to converge to a 
state where it will observe all other clocks in the same interval and then restore the correct 
interval counter. 
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Chapter 7 


Concluding Remarks 


Clock synchronization provides the cornerstone of many fault-tolerant computer ar- 
chitectures. To avoid a single point failure it is imperative that each processor maintain a 
local clock that is periodically resynchronized with other clocks in a fault-tolerant manner. 
Reasoning about fault-tolerant clock synchronization is complicated by the potential for 
subtle interactions involving failed components. For critical applications, it is necessary to 
prove that this function is implemented correctly. Shankar (NASA CR-4386) provides a 
mechanical proof (using Ehdm) that Schneider’s generalized protocol (Tech. Rep. 87-859, 
Cornell Univ.) achieves Byzantine fault-tolerant clock synchronization if 11 constraints 
are satisfied. This general proof is quite useful because it simplifies the verification of 
fault-tolerant clock synchronization systems. The difficult part of the proof is reusable, 
all that is required for a verified system is to show that the implementation satisfies the 
underlying assumptions of the general theory. This paper has revised the proof to sim- 
plify the verification conditions and illustrated the revised theory with a concrete example. 

Both Schneider and Shankar assumed the property of bounded delay. (This termi- 
nology is from Shankar’s report; Schneider called this property a reliable time source.) 
This property asserts that there is a bound on the elapsed time between synchronization 
actions of any two good clocks. For many protocols, it is easy to prove synchronization 
once bounded delay has been established. For these protocols, the difficult part of the 
proof has been left to the verifier. This paper presents a general proof of bounded delay 
from suitably modified versions of the remaining conditions. This revised set of conditions 
greatly simplifies the use of Schneider’s theory in the verification of clock synchronization 
systems. In addition, a set of conditions sufficient for proving recovery from transient 
faults has been added to the theory. A design of a synchronization system, based on the 
fault-tolerant midpoint convergence function, was shown to satisfy the constraints of the 
revised theory. 

One of the goals of the design was to develop a synchronization system that could au- 
tomatically initialize itself, even in the presence of faults. Two approaches for a four-clock 
system were explored and shown to possess pathological scenarios that prevent reliab e 
initialization. An informal sketch of a third approach was given that combines techniques 
from the two failed attempts. This technique ensures automatic initialization in the ab- 
sence of failures or when the failures arc benign. However, malicious behavior from a 
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failed clock can prevent good clocks from synchronizing. The standard approach of first 
reaching agreement and then synchronizing seems necessary for guaranteed initialization 
in the presence of arbitrary failures. 

In keeping with the design philosophy of the Reliable Computing Platform (RCP), 
the clock synchronization system was designed to recover from transient faults. Sufficient 
conditions for transient recovery were embedded in the Ehdm proofs. These conditions 
were based on the approach used by DiVito, Butler, and Caldwell for the RCP (NASA 
TM- 102716). It was shown that a four-clock instance of the given design will satisfy the 
transient recovery assumptions. Furthermore, the recovery happens automatically; there 
is no need to diagnose occurrence of a transient fault. 


In summary, a mechanically checked version of Schneider’s paradigm for fault-tolerant 
clock synchronization was extended both to simplify verification conditions and to al- 
low for proven recovery from transient faults. Use of the extended theory was illustrated 
with the verification of an abstract design of a fault-tolerant clock synchronization system. 
Some of the requirements of the theory were established via a mechanically checked formal 
proof using Ehdm, whereas other constraints were demonstrated informally. Ultimately, a 
mechanically checked argument should be developed for all the constraints to help clarify 
the underlying assumptions and, in many cases, to correct errors in the informal proofs. 
Mechanical proof is still a difficult task because it is not always clear how to best present 
arguments to the mechanical proof system. For example, the arguments given for initial 
synchronization need to be revised considerably before a mechanically checked proof is 
possible. Nevertheless, even though some conditions were not proven mechanically, de- 
velopment of the design from the mechanically checked specification has yielded better 
understanding of the system than has been possible otherwise. 


NASA Langley Research Center 
Hampton, VA 23681-0001 
July 19, 1993 
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Appendix A 

Proof of Agreement 


This appendix consists of two parts: The first part consists of an informal proof sketch 
that agreement can be established by using the revised constraints on 6 and some of the 
intermediate results of Chapter 3 are presented. The second part consists of information 
extracted from Ehdm that confirms that the mechanical proofs of agreement have been 
performed for the minor revisions to Shankar’s theory. There are also revised versions of 
modules clockassumptions and lemma-final; lemmaJinal contains the Ehdm statement of 
theorem 2.1, lemma agreement. 


A.l Proof Sketch of Agreement 

This section sketches the highlights of an informal proof that the following constraints 
are sufficient to establish theorem 2.1; these arguments have not yet been submitted to 

Ehdm: 

1. 4pr max + 7r(L2A' + 2j [/J' + 2A'j ) < /?' 

2. [(1 + p)& + 2pr maxi ^ ^ 

3. a(\p + 2A'J) + A + \2pff\ + 1 <6 

The first of these constraints is established in Chapter 3 and is used to ensure that 
u.i _ s i | < fj 1 We can use an intermediate result of that proof (lemma 3.1.2) to es- 
tablish th^second of these constraints. The third constraint is obtained by substituting 
the revised bounds on the array of clock readings (established in the proof of part (a) of 
theorem 3.1) into Shankar’s proof. This has not been done in the mechanical proof be- 
cause Shankar’s proof has not yet been revised to accommodate transient recovery. 


We now prove the following theorem (from Chapter 2). 


Theorem 2.1 (bounded skew) For any two clocks p and q 


time t, 


| VC p (t) - vc q (t ) I < 6 


that are nonfaulty at 


To do this, we first need the following two lemmas: 
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Lemma 2.1.1 For nonfaulty clocks p and q, and max(tj,, 3 q ) < t < min(<j +1 ,tj +1 ), 

|/C'*(<)-/Cj(0|<[(l+p)/3' + 2pr mrtx l 

Proof: We begin by noticing that JC*(t) = IC^ic^IC; (<))) (and similarly for IC„) 
Assume without loss of generality that ic' p (IC* p (t)) < ictJIC'Jt)) < f, and let T = ICUt) 
Clearly, T < max(T^ +1 , TJ+ 1 ). We now have 9 

\IC l p (t) - IC*(t)\ = |/C*(*4(r))-/Cj(tc*(T))| 

= | IC' p (i<* q (T)) - /Cj(ic*,(T))| 

< r(i+P)d<4(r)-i4(Di)i 

The final step in the above derivation is established by corollary 5.1. 

All that remains is to establish that | ic\(T) - ic' p (T) \ < 0 + 2pr m „/(l + p). Ear- 
lier, we defined r max to be (1 + p)(R + a (0 + 2A')). The proof is by induction on i. For 
i = 0, 


\ic\(T) - ic),(T)\ < — tp| + 2p(max(7^ +1 ,T g * +1 ) — T°) 

< 0 + 2p{R + a{0 + 2A')) 

For the inductive step, we use lemma 3.1.2 to establish that 


K +1 (T) - ic . * +1 (T)| < 2p{\T - 5*| + a(0 + 2A')) + tt(2A / + 2,0 + 2A') 


There are two cases to consider: if T < 5* +1 , this is clearly less than 0\ if T > 
5* , this is bounded by 3' + 2p(max(T i+1 , T J+1 ) - 5* +1 ). It is simple to establish that 

> Tg +l ) — 5* +1 ) < (R + 0.(3' + 2A')). 


(max(7^ +1 


Lemma 2.1.2 For nonfaulty clocks p and q and t l q +l < t < t l p +1 , 

|/C* (0 - /<?*+' (<)l < a {[0 + 2A'J) + A + \2p0\ + 1 

Proof Sketch: The proof follows closely the argument given in the proof of case 2 of 
theorem 2.3.2 in reference 10. The proof is in two parts. First, the difference at t i+1 is 
bounded with accuracy preservation, and then the remainder of the interval is bounded. 
The difference in this presentation is that here the argument to a is smaller. ■ 

We can now prove theorem 2. 1 . 

Proof Sketch: The proof consists of recognizing that VC p {t) = IC ‘ ( t ) for 3 < t. < t, i+1 
This, coupled with nonoverlap and the above two lemmas, assures the result P ? ■ 
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A. 2 Ehdm Extracts 
A. 2.1 Proof Chain Analysis 

The following is an extract of the Ehdm proof chain analysis for lemma agreement in 
module lemma_final. 


================== SUMMARY ================— 

The proof chain is complete 

The axioms and assumptions at the base are: 
clockassumptions . IClock_def n 
clockassumptions .Readerror 
clockassumptions . VClock_def n 

clockassumptions . accuracy_preservation_recovery_ax 

clockassumptions . beta_0 

clockassumptions . correct_closed 

clockassumptions . correct_count 

clockassumptions . init 

clockassumptions .mu_0 

clockassumptions . precision_enhancement _recovery_ax 

clockassumptions . rate_l 

clockassumptions . rate_2 

clockassumptions . rho_0 

clockassumptions . rho_l 

clockassumptions . rmax_0 

clockassumptions . rmin_0 

clockassumptions . rtsO 

clockassumptions . rtsl 

clockassumptions . rts2 

clockassumptions . rts_2 

clockassumptions . synctime.O 

clockassumptions . trans 1 at ion_ invariance 

division .mult _div_l 

division . mult_div_2 

division . mult_div_3 

f loor_ceil . ceil_defn 

f loor_ceil . f loor_def n 

mult ipl icat ion . mult _10 

mul t ipl i c at i on . mult _non_neg 

noetherian [EXPR, EXPR] . general.induction 

Total: 30 
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The definitions and type-constraints are: 
absmod . abs 
basics . maxsync 
basics .maxsynctime 
basics . minsync 
clockassumptions . Adj 
clockas sumptions . okay_Reading 
clockassumptions . okay.Readpred 
clockassumptions . okay_Readvars 
clockassumptions . okay_pairs 
lemma3 . okayClocks 
multiplication . mult 
readbounds . okaymaxsync 
Total: 12 
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A. 2. 2 Module lemma_final 
lemma -final : Module 

Using clockassumptions, Iemma3, arith, basics 
Exporting all with clockassumptions, Iemma3 


Theory 

p, <APliP2, 9li <?2>P3> 93) L h k- ^ ar nat 
l,m,n : Var int 
x,y,z: Var number 

posnumber: Type from number with (Ax : x > 0) 
r, s,t: Var posnumber 

correct-synctime: Lemma correct(p, t) A t < t l p + r min D t < t l p +1 
synctime_multiples: Lemma correct(p, f)Af >0A(<n r ml „ D t l p > t 

synctime_multiples-bnd: Lemma correct(p,t) A t > 0 D t < t? 7 """ 1 + 


agreement: Lemma /3 < v min 

Ap<6sAir([’2*A + 2*/?*p1 + l, 

6s + [2 * ((r max + /3) * p + A)] + 1) 

< <5s 

A ^5 + [2 * r max * p] + 1 < <5 .. 1 

A 0(65 + [2 * (r max + /?)*P + 2*A] + 1) + A+ [2 * /3 * p] + 1 

< 6 

A t > 0 A correct (p, t) A correct(q, t) 

D \VCJt) - VC q (t) | < <5 


Proof 

agreement-proof: Prove agreement from 
Iemma3_3 { i <— \t/r m iri\ + 1}. 

okayClocks-defnJr {i *— \t/r m in\ + 1. t t@CS}, 
maxsync-correct {s *— t, i <— \t/r m i n \ + 1}, 
synctime_multiples_bnd {p •* — (p 1Y Q)[\t/ Train] 1 ]}. 

rmin_O t 

div_nonnegative {x <— t, y r m m}t 
ceiLdefn { x < (^/'r’min)} 

synctime_multiples_bnd_proof: Prove synctime^multiples.bnd from 
ceil_plus_muit_div {x <— t, y <— T min } t 
synctime_multiples {i + 1}. 

rmin.O, 

div.nonnegative {x * — t, y < r min}< 
ceiLdefn {x <— (t/r m i„)} 
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correct _synctime_proof: Prove correct.synctime from rtsl {t <— £@C'S'} 

synctime_multiples_pred: function[nat, nat, posnumber — bool] == 
correct (p, t)At>0At<i* r min d tj, > t) 

synctime_multiples_step: Lemma 
correct(p, t) At > t { p At > 0 D > i-k r min 

synctime_multiples_proof: Prove synctime^multiples from 
synctime_multiples_step 

synctime_multiples^step_pred: function[nat, nat, posnumber — ► bool] == 

( A i,P, i : correct (p, t) A t f, < t A t > 0 D P p > i * r min ) 

synctime_multiples.step_proof: Prove synctime_multiples_step from 
induction {prop <- ( A i : synctime_multiples_step pred(i p 2 ))} 
muItJO {x <— r m i n }, 
synctime_0, 
rts_l {i <— j@Pl}, 
rmin 0, 

correct_closed {s t, t *— t^ P}+l } 
distrib {x *- j@Pl , y «_ l, P z «_ 
muItJident {x <— r m * n } 

End lemmaJinal 
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A.2.3 Module clockassumptions 
clockassumptions: Module 
Using arith, countmod 
Exporting all with countmod. arith 

Theory 


N: nat 

N_0: Axiom N > 0 


process: Type is nat 
event: Type is nat 
time: Type is number 
Clocktime: Type is integer 

l,m,n,p,q,P\-,P2,QuQ2,P:iiQi : Var P rocess 


i, j, k: Var event 

x, y, z, r, s, t: Var time 

X, Y, Z, R, S, T: Var Clocktime 

7,0: Var function [process — > Clocktime] 

6,p,r min ,r max ,(3: number 


Clocktime] 


A,^: Clocktime 

PC'* i (*2) , VC*i (*2) : fu nction [process, time 

t*?: function [process, event — > time] ,, 

©*2 ; function [process, event -» function[process Clocktime]] 
/C:?(*3): function[process, event, time — Clocktime] 
correct: function [process, time — ► bool] , 

cfn: function [process, function [process — > Clocktime] — ► oc ime] 

function[Clocktime, Clocktime — » Clocktime] 


7r: 


cx: function [Clocktime » Clocktime] 


delta i): Axiom 6 > 0 


mu_0: Axiom p > 0 


rho JD: Axiom p > 0 


rhoJ.: Axiom p < 1 
rmin_0: Axiom r m in > 0 
rmaxJD: Axiom r max > 0 
betaJD: Axiom f3 > 0 
lamb_0: Axiom A > 0 
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init: Axiom correct(p,0) D PC p { 0) > 0 A PC p ( 0) < p 

correct_closed. Axiom s > t A correct (p, ,s) Z) correct(p, t) 

rateA: Axiom correct (p, .s) A s>tD PC p (s) - PC p (t) < [(« - <) * (l + p )] 

rate.2: Axiom correct(p, s) A a > t D PC p (s) - PC p (Z) >[_(*- i) * (1 - p )j 

rtsO: Axiom correct(p, t) A t < Z* +1 D t - t' p < r rnox 

rtsl: Axiom correct(p, Z) A < > Z£ +1 D t - P p > r min 

rts O: Lemma correct(p, t l p +1 ) D Z£+ ] - ^ < 

rts-l: Lemma correct(p,Z*+>) D t l p +l - P p > r min 

rts2: Axiom correct(p, t) A t > t‘ q + fi A correct(p, t) D t > t' p 

rtS-2: Axiom correct(p, Z),) A correct (g, Z^) D t3 p — t\ < (3 

synctime.O: Axiom = 0 

VCIock_defn: Axiom 

correct (p, Z) A Z > Z), A t < Z* +1 D K<7 p (Z) - /<7),(Z) 

function [process, event — > Clocktime] = 

( A P' i : ( if i > 0 then c/n(p, 0^) - PC p (t l p ) else 0 end if)) 

ICIock.defn: Axiom correct(p, Z) d IC l p {t) = PC p (t ) + adf p 

Readerror: Axiom correct(p, Z p +1 ) A correct^, Z* +1 ) 

D |0), H (g)-/C'*(^ +1 )| < A 

translationJnvariance: Axiom 

cfn(p, ( A pi — > Clocktime : 7(pj) + X)) = c/n(p, 7) + X 

ppred: Var function [process — > bool] 

F: process 

okay.Readpred: function[function[process — > Clocktime], number. 

function[process — * bool] — » bool] = 

( A 7, p, ppred : ( V/,m : ppred(Z) A ppred(m) D |-y(/) - 7(m)| < p)) 
okay.pairs: function[function[process — > Clocktime], 

functionfprocess — > Clocktime], number, 
function[process — » bool] — > bool] = 

( A 7, (9, x, ppred : ( Vp 3 : ppred(p 3 ) D | 7 (p 3 ) - 0{p A )\ < x)) 

okay .Read pred .floor: Lemma 
okay_Readpred(7,y, ppred) D okay_Readpred( 7 , [pj, ppred) 

okay_pairs_floor: Lemma 

okay_pairs(7, 6, x, ppred) D okay.pairs(7, L^J, ppred) 
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N.maxfaults: Axiom F < N 


precision -enhancement _ax: Axiom 
count(ppred, N) > N — F 

A okay-Read pred (7, Y, ppred) 

A okay_Readpred($, Y, ppred) 

A okay_pairs(7, 9 , X, ppred) A ppred(p) A ppred(q) 
D \cfn(p, 7) - cfn(q,9)\ < 7T {X,Y) 


precision ^enhancement-recovery. ax: Axiom 

count(ppred, N) > N — F 

A okay-Read pred (7, Y, ppred) 

A okay_Readpred(0, Y, ppred) A okay.pairs(7, 9, X , ppred) 

D \cfn(p, 7) - cfn(q,9)\ < ir{X,Y) 

correct-count: Axiom count (( Xp : correct (p,t)), N) > N - F 


okay_Reading: function [function [process -*• Clocktime], number, time 

— > bool] = 

(A 7 ,y,f : (Vpi,«i : , , Nl . „ 

corrector, t) A correct (yi, £) D |7(Pi) “ 7(9i)l < V)) 
okay.Readvars: function [function [process -*• Clocktime], 

function [process — > Clocktime], number, time 

— * bool] = 

( \~/,9,x,t : (Vp3 : correct(p 3 , t) D |7(P3) - #(P3)I ^ x )) 


okay.Readpred.Reading: Lemma 

okay .Reading^, y,t) D okay_Readpred(7, y, ( A p : correct (p,*))) 


okay.pairs.Readvars: Lemma 

okay_Readvars(7,6>,x,f) D okay_pairs(7, 8,x,(\p : correct(p, t))) 


precision_enhancement: Lemma 
okay_Reading(7, y, tp +1 ) 

A okay_Reading(0, y, tp +l ) 

A okay_Readvars(7, 9, X, t l p +1 ) 

A correct (p, ^ +1 ) A correct^, t l p +1 ) 

D | cfn(p, 7) — c/n(y,0)| < 7r(X,y) 

okay.Reading-defnJr: Lemma 

okay_Reading(7,y,t) .. . 

D (Vpi,qi : correct(pi,t) A correct (yi,i) D |7(PU ~ 1W)\ S 2/) 


okay_Reading.defn_rl: Lemma 

( V pi, : correct (pi, f) A correct^, t) D |7(Pi) ~ 7(fli)l ^ 3/) 
D okay_Reading(7, y, t) 


okay_Readvars_defn_lr: Lemma 

okay.Readvars(7, 9, x, t) D (Vp 3 : correct(p 3 , t) D |7(P3) - e (PV\ ^ x ) 
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okay.Readvars.defn.rl: Lemma 

(Vp ;3 : correct (ps, t) D | 7 (p 3 ) - 0(p 3 )| < x) D okay _Readvars( 7 , x, <) 


accuracy_preservation_ax: Axiom 

okay_Readpred( 7 , X, ppred) A count(ppred. N) > N - F A ppred(p) A ppredfo) 

=> l c MP» 7 ) -7(9)1 < a(X) J 


accu racy ..preservation ^recovery_ax: Axiom 
okay_Readpred( 7 , X, ppred) A count(ppred, N) > N - F A ppredfo) 

=> |c/n(p, 7 ) -7(g)| <a(X) 


Proof 


okay .Read pred .floor.pr: Prove okay.Readpred.floor from 
okay.Readpred {/ 4 - l@p 2 , m <- m@p2}, 
okay.Readpred {3/ <— [pj|, 

iabs.is.abs {X <- j(l@p 2 ) - 7 ( m@p2 ), 3; 4- 7 (/@p2) - 7 (m@p2)) 
floor.mon {x 4- iabs(X%3)}, 
floor _int {i <— iabs(X@p3)} 


okay.pairs.floor.pr: Prove okay .pairs .floor from 


okay.pairs {p 3 <-p 3 @p2} ( 

okay .pairs {x [arj } , 

iabs.is.abs {x 4- 7 (p 3 @ p 2) - 6>(p 3 @p2), X 

floor.mon {x 4- iabs(.Y(<$p3), p 4- x }, 

floor.int {i <- iabs(AT@p3)} 


7 (p 3 @p2) - 0(p 3 @p2)}, 


precision. en ha ncement.ax.pr: Prove precision.enhancement.ax from 
precision_enhancement_recovery_ax 


accuracy.preservation.ax.pr: Prove accuracy.preservation.ax from 
accuracy_preservation_recovery^ax 

okay_Reading_defn.rl.pr: Prove 

okay_Reading_defn_rl { Pl -pjSPlS, 9l - 9l @PlS} from okay .Reading 

okay.Reading_defn_lr.pr: Prove okay.Reading_defn.lr from 
okay-Reading {p, 4- Pl @CS, q x <- 9l @CS} 

okay.Readvars_defn_rl.pr: Prove okay. Read vars.defn.rl {p 3 4-p 3 @PlS) from 
okay.Readvars ' ' ' 

okay.Readvars_defn_lr.pr: Prove okay.Readvars.defn.lr from 
okay.Readvars {p 3 4- p 3 @CS} 
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precision .enhancement.pr: Prove precision.enhancement from 
precision .enhancement. ax {ppred^*- (Xq ■ correct (q,t p ))}, 
okay. Readpred .Reading {t * ip , y * 
okay.Readpred.Reading {t <— £p +1 . y Y , 7 <— }- 

okay.pairs.Readvars {t <— tp +1 . x X}, 
correct-count {t *— fp +1 } 

okay.Readpred.Reading.pr: Prove okay.Readpred.Reading from 
okay Readpred {ppred <— ( Ap : correct(p, t))}, 
okay .Reading {pi - IQP1S. <Zi - m@P\S} 

okay pairs.Readvars.pr: Prove okay.pairs.Readvars from 

okay.pairs {ppred «- ( Ap : correct (p,t))}. okay.Readvars {p 3 - 

rts.O .proof: Prove rts.O from rtsO {t <- fp +1 } 

rts.l .proof: Prove rts.l from rtsl {t <— t p + } 

End ciockassumptions 


V 3®P1S} 
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Appendix B 

Bounded Delay Modules 


■ J 1US appendi * contains the Ehdm proof modules for the extended clock synchro- 
ion eory ie proof chain analysis is taken from modules delay4, rmax rmin and 
new basic, Modu e delay4 contains the proofs of bounded delay, whereas rmax rmin and 
new basics show that the new conditions are sufficient for establishing some of the old 
constraints from Shankar’s theory. Several lines of the proof analysis have been deleted 
pertinent information concerning the axioms at the base of the proof chain remains 


B.l Proof Analysis 

B-l.l Proof Chain for delay4 


Terse proof chains for module delay4 


SUMMARY 

The proof chain is complete 

The axioms and assumptions at the base are: 
clockassumptions . IClock_defn 
clockas sumptions . N_maxf aults 
clockassumptions . accuracy_preservation_recovery_ax 
clockassumptions . precision_enhancement_recovery_ax 
clockassumptions . rho _0 
clockassumptions . translation.invariance 
delay. FIX_SYNC 
delay. RATE_1 
delay. RATE_2 
delay. R_FIX_SYNC_0 
delay . betaread_ax 
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delay . bnd_delay_init 
delay . f ix _between_sync 
delay . good_read__pred_axl 
delay . read_self 
delay . reading_error3 
delay . rts_new_l 
delay . rts_new_2 
delay . synct imeO_def n 
delay . synctime_def n 
delay . vpred__ax 
delay . wpred_correct 
delay . wpred.preceding 
del ay 3 . bet apr ime__ax 

delay3 . recovery_lemma 
delay4 . opt ionl_def n 
delay4 . option2_def n 
delay4 . opt ions_exhausted 
division .mult _div_l 
division .mult _div_2 
division .mult _div_3 
f loor.ceil . ceil_def n 
f loor_ceil . f loor_def n 

multiplication .mult_non_neg 
mult iplicat ion. mult _pos 

noether ian [EXPR , EXPR] .general_induction 
Total: 36 


B.1.2 Proof Chain for rmax.rmin 
Terse proof chains for module rmax_rmin 


SUMMARY 

The proof chain is complete 

The axioms and assumptions at the base are: 
clockassumptions . IClock_def n 

clockassumptions . accuracy_preservation_recovery_ax 
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clockassumpt ions . precision.enhancement.recovery.ax 
cl ockas sumptions . rho_0 
clockassumpt ions . translation_invariance 
delay. FIX.SYNC 
delay . RATE. 1 
delay. RATE.2 
delay. R.FIX.SYNC.O 
delay . betaread.ax 
delay . bnd_delay_init 
delay . fix. between. sync 
delay . good_read.pred.axl 
delay . read. self 
delay . reading_error3 
delay .rts.new.l 
delay . rts_new_2 
delay . synctimeO.def n 
delay . synctime. defn 
delay .wpred. ax 
delay . wpred.correct 
delay . wpred.preceding 
delay3 . betaprime.ax 
delay3 . recovery.lemma 
delay4 . optionl.defn 
delay4 . option2.defn 
delay4 . options.exhausted 
division. mult. div.l 
division . mult_div.2 
division . mult_div_3 
f loor.ceil . ceil.defn 
f loor.ceil . f loor.def n 
multiplication . mult.non.neg 
mult iplicat ion. mult _pos 
noether ian [EXPR , EXPR] . general_induction 
rmax_rmin . AD J_recovery 
Total: 36 


B.1.3 Proof Chain for new.basics 
Terse proof chains for module new_basics 


63 



SUMMARY 


The proof chain is complete 

The axioms and assumptions at the base are: 
clockas sumptions . IClock_def n 
clockas sumptions . N.maxf aults 

clockas sumptions . accuracy_preservation_recovery. 
clockassumptions . precision_enhancement_recovery. 
clockassumptions .rho.O 

clockassumptions . translation.invariance 

delay . FIX_SYNC 

delay . RATE.l 

delay . RATE.2 

delay . R.FIX.SYNC.O 

delay . betaread.ax 

delay . bnd_delay_init 

delay . f ix.between.sync 

delay . good_.read_pred.axl 

delay . read.self 

delay . reading_error3 

delay . rts_new_l 

delay . rts_new_2 

delay . synctimeO.def n 

delay . synct ime.def n 

delay . wpred.ax 

delay . wpred.correct 

delay . wpred.preceding 

delay3 . betaprime.ax 

delay3 . recovery_lemma 

delay4 . optionl.def n 

delay4 . option2_def n 

delay4 . options_exhausted 

division .mult.div.l 

division . mult_div_2 

division .mult_div_3 

f loor.ceil . ceil_defn 

f loor.ceil . f loor.def n 

mult ipli cat ion .mult .non.neg 

multiplication . mult.pos 

new_basics . delay .recovery 

new.basics .nonoverlap 

noether ian [EXPR , EXPR] .general.induction 
rmax.rmin . ADJ.recovery 
Total: 39 


ax 

ax 
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B.2 delay 

delay: Module 
Using arith , clockassumptions 
Exporting all with clockassumptions 
Theory 

PiQ'P\,q\' Var process 

i, j, k: Var event 

X,S,T : Var Clocktime 

6*, t, ^ 2 - Var time 

7- Var function [process — > Clocktime] 

0 Thread, AC number 
R: Clocktime 

betaread.ax: Axiom /?' < /? roa(1 A /3 road < /?/2 

PPred, ppredl: Var function [process bool] 

-S' 0 : Clocktime 

5* 1 : function[event -► Clocktime] = ( A i :i* R + S°) 

P c * i(*2): function[process. Clocktime — > time] 

function[process, event, Clocktime — » time] = 

( A P’i,T :pc p {T - adj l p )) 

s *i : function [process, event — > time] = ( A p i ■ i c l (S* )) 

T°: Clocktime ' P 

■Cl ■ functionfprocess, event — > Clocktime] 

synctime.defn: Axiom t l p +i = ic^( Tj +1 ) 

synctimeO_defn: Axiom = ic°(T°) 

FIX_SYNC: Axiom 5° > T° 

R_FIX_SYI\IC_0: Axiom R > (5° — T°) 

R-0: Lemma R > 0 

good_read_pred: function[event -» function [process, process - 
correct_during: functionfprocess, time, time — bool] = 

( Ap, t, s : t < s A ( V t\ : t < t\ At\ <o correct(p, t \ ))) 
wpred: functionfevent -> function[process -> bool]] 
rpred : functionfevent -> function [process -> bool]] 
wvr.pred: functionfevent -► functionfprocess -» bool]] = 

( A z : ( A p : wpred(z)(p) V rpred(z)(p))) 
working: functionfprocess, time — > bool] = 

( A p, t : ( 3 i : wpred (z)(p) A t { p < t A t < t l p +] )) 


bool]] 
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wvr.defn: Lemma wvr_pred(i) = ( A p : wpred(i)(p) V rpred (i)(p)) 
wpred.wvr: Lemma wpred(i)(p) D wvr_pred(i)(p) 
rpred _wvr: Lemma rpred (i)(p) 3 wvr-pred (i)(p) 
wpred.ax: Axiom count(wpred(i), N) > N — F 
wvr_count: Lemma count(wvr_pred(i), N) > N - F 
wpred.correct: Axiom wpred(t)(p) D correct_during(p, t p , tp ) 
wpred-preceding: Axiom wpred(i + l)(p) D wpred(i)(p) V rpred(i)(p) 
wpred.rpred -disjoint: Axiom -.(wpred(i)(p) A rpred (*)(p)) 
wpred.bridge: Axiom 

wvr_pred(f)(p) A correct_during(p, P + 1 , t l p +2 ) D wpred(z + l)(p) 

wpred_fixtime: Lemma wpred(i)(p) D correct -during(p, Sp, ip + ) 

wpred -fixtime.low: Lemma wpred(i)(p) D correct_during(p, t p , Sp) 

correct-during-trans: Lemma 

correct_during(p, t, £2) A correct _during(p, £21 s ) 

D correct_during(p, t , 5) 

correct-dun ng_sub_left: Lemma 

correct_during(p, t,s) At < t 2 Af 2 <0 correct -during(p, t, < 2 ) 

correct_during-Sub-right: Lemma 

correct during (p, t,s) At < t 2 At 2 < s D correct -during (p,t 2 , a) 

wpredJoJem: Lemma wpred(i)(p) D correct(p, P p ) 

wpred_hiJem: Lemma wpred(i)(p) D correct(p, i* +1 ) 

correct_during-hi: Lemma correct -during (p, t, s) D correct (p, s) 

correct_during_lo: Lemma correct_during(p, t, s) D correct (p, t) 

clock.axl: Axiom PC p {pc p {T )) = T 

clock_ax 2 : Axiom pCp(PC p (t)) <t At < pc p {PC p (t) + 1 ) 

iclock_defn: Lemma ic p {T ) = pc p (T — adj p ) 

iclockO_defn: Lemma zc«(T) = pCp(T) 

iclock-lem: Lemma correct (p,ic p (T)) D IC p {ic l p (T )) = T 

ADJl \ : function [process, event — > Clocktime] = (\p,i : adj p - adj p ) 
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ICIock_ADJ_lem: Lemma correct(p, t) D IC l p +1 (t ) = IC p (t) + ADJ { 
iclock_ADJ_lem: Lemma tc p +1 (T) = icip(T — ADJ p ) 
rts_new_l: Axiom correct(p, t* +1 ) D S* + a{[f3' + 2 * A'J) < T* +i 
rts_new_2: Axiom correct(p, t l p ) D T l p < S i - c*(L/3' + 2* A'J) 

FIXTIME_bound: Lemma 

correct (p, £J, + 1 ) d S^ 1 > S* + 2 * «([/?' + 2 * A'J) 

R.bound: Lemma correct(p, t l p +1 ) D > 2 * a{[(3' + 2 * A'J) 

RATE.l: Axiom correct_during(p,pc p (T),pc p (5')) A S > T 
D pc p (S) - pc p (T) < (S - T) * (1 + p) 

RATE-2: Axiom correct_during(p,p Cp (7 , ),pe p (5)) AS >T 
D P c p( s ) ~ Pc p (T) > (S - T)/( 1 + p) 

RATE_lJclock: Lemma 
correct_during(p, tcj,(T), i(? p {S)) AS>T 
D *4(S) - ic* p (T) < (S - T) * ( 1 +p) 

RATE_2_iclock: Lemma 
correct_during(p, ic p (!T), ic p (5)) AS >T 
D ic^S) - icj,(T) > (5 - T)/(l + p) 

rate^simplify: Lemma S > T D (S - T)/(l + p) > (S - T) * (1 - p) 

rate_simplify_step: Lemma S > T D (1 + p) * (S - T) * (1 - p) < S - T 

RATE_2_simplify. Lemma 
correct -d u ri ng(p, pc p (T) , pc p (5) ) AS >T 
D pc p (S) — pc p (T) > (S - T) * (1 - p) 

RATE_2_simplifyJclock: Lemma 
correct_during(p, ic^T), ic p (S)) A S > T 
D icl(S) - ic^T) >(S- T) * (1 - p) 

RATEJemmal: Lemma 
cor rect _d u r i ng (p, p Cp ( T) , pc p ( S ) ) 

A correct xluringjg, pc q (T),pc q (S)) A S >T 
D Ip c p( 5 ') “P c 9 (5')I < I pc p (T) -pc q (T) | + 2 *p* (S' - T) 

RATE.IemmalJclock: Lemma 
correct_during(p, ic),(T), ic^S)) 

A correct_during(< 7 , *c* CO, ic\(S)) A S > T 
D | *c* p (S) - z4(5)| < | ic* p (T) - ic* (T) | + 2 *p*(S~T) 
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RATEJemma2: Lemma 

correct.during(p,pc p (T),pc p (S)) A 5 > T 

D | (pc p (S) - S) - ( P c p (T ) - T) | < P* (\S - T|) 

RATE.Iemma2_iclock: Lemma 

correct_during(p, zc p (T), zc p (S)) AS >T 

D |(icj,(S) - 5) - (ic l p (T) -T)\<P* d 5 - T D 

bnd.delay.init: Axiom 

wpred(0)(p) A wpred(0)(q) ._ 0 ^ a 

D |^o _ f 0| < _ 2 * p* (S° - T°) A/9 - 2 * (p* (5° - T )) < P 

bnd.delay.off.init: Lemma wpred(0)(p) A wpred(0)(q) D |s p — s q \ < P 


good .read .pred _axl : Axiom 
correct_during(p, s p , t p ) 

A correct_during(<p s l q , t l q +1 ) A |s p 
D good. read .pred (z)(p, q) 


41 < Pread 


reading_error3: Axiom 
good .read .pred (z) (p, q) 

d | (e; +1 (<?) - ic^ 1 )) - (4 - 4)1 ^ A ' 

ADJ.Ieml: Lemma correct_during(p, s p , t p 4 1 ) 

D ( ADJ p = cfn(p, ( A pi : 6 p +I (;pi) - IC l p (t l p + )))) 

ADJ_lem2: Lemma correct_during(p, s p , t p ) 

D (ADJ p = c/n(p, © p +1 ) - /C l p (^ +1 )) 

read_self: Axiom wpred(z)(p) D ©p +l (p) = ^Cp(^p + ) 


fix_between_sync: Axiom 

correct_during(p, ^p, ^p +1 ) D ^ s p 

rts_2_lo: Lemma wpred(i)(p) A wpred(i)(<?) D \t l p — t q \<(3 

rts_2_hi: Axiom wpred(i)(p) A wpred(i)(<?) D \t p — t q \ < P 


Proof 

R_0_pr: Prove R_0 from R_FIX_SYNC_0, FIX-SYNC 

FIXTIME.bound.pr: Prove FIXTIME.bound from rts.new.l, rts_new_2 {z < 
R.bound.pr: Prove R.bound from FIXTIME.bound, S* 1 , S* 1 {z z + 1} 
iclock.defn.pr: Prove iclock.defn from ic* j(*3) 


z + 1} 


68 



wpred .fixtime.pr: Prove wpred_fixtime from 
fix.between.sync, 
wpred.correct, 

correct _duri ng.su b.right {s ^ t 1 ^ , t t 2 4- sjj 

wpred_fixtime_low_pr: Prove wpred -fixtime Jow from 
fix.between.sync, 
wpred .correct, 

correct _d uring.su b.left {s 4- t^\ t <— t l p , t 2 <- - 

correct_during_sub.left.pr: Prove correct.during_sub.left from 
correct.during {s <— ^2 } . correct.during {fj 4— £j@pl} 

correct.during_sub_right.pr: Prove correct_during_sub_right from 
correct .during {£ <— * 2 }, correct during {t x <- t x @pl} 

correct_during.trans.pr: Prove correct.during.trans from 
correct.during, 

correct.during { s <— t 2 , t\ 4— 
correct.during {t 4- t 2 , t\ <— ^©pl} 

wpred .wvr.pr: Prove wpred _wvr from wvr.defn 

rpred_wvr_pr: Prove rpred.wvr from wvr.defn 

wvr.defn.hack: Lemma 

(Vp: wvr_pred(z)(p) = ((A p : wpred(z)(p) V rpred(z)(p))p)) 

wvr_defn_hack_pr: Prove wvr_defn_hack from wvr.pred { p <— p@c} 

wvr.defn. pr: Prove wvr.defn from 
pred .extensions I ity 
{predl 4— wvr.pred(z), 
pred 2 <— (\p \ wpred ( 7 ') (p) V rpred(i)(/>))}, 
wvr.defn.hack {p 4— p@pl} 

wvr.count.pr: Prove wvr.count from 
wpred _ax, 
count.imp 

{ppredl 4— wpred(j), 

ppred 2 4- ( A p : wpred(i)(p) V rpred(z)(p)) l 
n <— N}, 
wvr.defn, 

imp.pred.or {ppredl 4— wpred (i), ppred 2 4— rpred(f)} 

w, x,y,z: Var number 

bd. hack: Lemma \w\ < x - y A \z\ < \w\ + y D \z\ < x 
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bd_hack_pr: Prove bd_hack 

bnd_delay_off_init_pr: Prove bnd_delay_off_init from 
bnd_delay_init, 

RATEJemmalJclock {S <— S°, T <— T° , i <— 0}, 

FIX-SYNC, 
synctimeO.defn, 
synctimeCLdefn {p <— q}, 

Ki {i «“ °}> 

s ii {* <- 0. P*~ 9}’ 

wpred-fixtimeJow {i <— 0}, 
wpred.fixtime.low {p <— q, i <— 0}, 

S* 1 {t «- 0} 

mult.abs.hack: Lemma £*(1 — p)<yAy<x*(l + p)D|y — x|<p*x 

mult_a bs.hack.pr: Prove mult_abs_hack from 
muItJdistrib {y *— 1, z <— p}- 
mult.ldistrib.minus {y <— 1, z <— p}, 
mult.rident, 

abs-3-bnd {x *- y, y <— x, z <- p*x}, 
mult.com {y <— p} 

RATE_l.iclock.pr: Prove RATE.l.iclock from 
RATE.l {S <— S - adj l p , T <— T - a#*}, 
iclock_defn t 
iclock.defn {T *— £} 

RATE_2_iclock_pr: Prove RATE_2Jclock from 
RATE.2 {5 «- 5 - adj l pl T^T- adj l p }, 
iclock_defn, 
iclock.defn {T <— S} 

RATE.2 _simplify.iclock.pr: Prove RATE_2_simplify.iclock from 
RATE_2_simplify {5 <— S — adj p , T <— T — adjp}, 
iclock.defn, 
iclock.defn {T 5} 

RATE.Iemmal-sym: Lemma 

correct_during(p,pCp(T),pc p (5)) 

A correct_during(q, pc q (T), pc q (S)) A S > T A pc p (S) > pc q (S) 

D |pc p (5) -pc 9 (5)| < |pCp(T) -pc q (T)| + 2 * p* (5 — T) 

Rllhack: Lemma w<xAy<zAy>xD\y — x\<\z — w\ 

Rllhack.pr: Prove Rllhack from | * 1| {x <— y — x}, | * 1| {x <— z — w} 
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RATE Jemma l.sym.pr: Prove RATEJemmal sym from 
RATE.l, 

RATE_2_simplify {p <— q }, 

Rllhack 

{x «- pc q (S), 
y «- Pc p (S), 

w+-pc q (T) + (S-T)*(l- p ), 
z p Cp (T) + (S - T) * ( 1+p)}, 
muItJdistrib {x <- S - T, y *- 1, z p}, 
mult_ldistrib_minus {x *- S -T, y *- 1, z p}, 
abs-Plus {x <- pc p (r) - pe,(T), y *-2* p*(S - T)}, 
mult.com {x <— p, y <— 5 - J 1 }, 
abs_geO {x «- 2 * p * (S’ - T)}, 
mult_non_neg {x <— p, y <— S — T}, 
rho_0 

RATEJemmal_pr: Prove RATEJemmal from 
RATEJemmal.sym, 

RATEJemmal_sym {p *— q, q *— p}, 
abs-com {x «- pc p (S), y <- pc g (S)}, 
abs_com {x - pc p (T), y «- p C? (T)} 

RATEJemmal Jclock_sym: Lemma 
correct_during(p, ic* (T), icj,(5)) 

A correct_during(y, ic q (T), iCg(S)) A S > TAic^S) > icl(S) 

D K( 5 ) ~ *4( 5 )l < I ^{T) - tc* (D| + 2 * p* (5 - T) 

RATE lemmal Jclock_sym_pr: Prove RATEJemmalJclock_sym from 
RATE_l_iclock, 

RATE_2_simplify_iclock {p g}, 

Rllhack 

{x - icJ(S), 

y *- * 4 ( 5 ’), 

w *- iCq(T) + (S-T)*( 1 - p), 

2 <— ic l p (T) + (5 — T) * (1 + p)}, 
mult_ldistrib {x <- 5 - T, y <- 1, z p}, 
mult_ldistrib_minus {x 5 - T, y <— 1, z <— p}, 
ab s -Plus {x <- ic l p {T) - ic*(T), y <- 2 * p * (5 - T)}, 
mult.com {x +- p, y <— S - T}, 
abs.geO {x <- 2 * p * (S - T)}, 
mult_non_neg {x <— p, y <— 5 - 7 1 }, 
rho_0 
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RATEJemmal-iclock.pr: Prove RATEJemmal-iclock from 
RATEJemmal-iclockjsym, 

RATEJemmal Jclock_sym {p «- q, q *- P }. 
abs.com {x *— ic l p (S), y * * c q(*5)}’ 

abs.com {x +— ic p (T), y <— ic^(T)} 

RATEJemma2_pr: Prove RATE_lemma2 from 
RATE-1, 

RATE_2 .simplify. 

mult_abs_hack {x <— S — T, y *— pc p (5) — pc p {T)}, 
abs_geO {x <— S — T} 

RATE_lemma2-iclock-pr: Prove RATE_lemma2_iclock from 
RATE_lemma2 {S <— 5 — adj p . T +— T — adj p }, 
iclock-defn {T *— S}, 
iclock_defn 

wpredJo_lem-pr: Prove wpred_lo_lem from 
wpred .correct, 

correct-during {s <— t p +1 , t <— £ p , <1 <— f p } 

wpred_hi_lem_pr: Prove wpred_hi_lem from 
wpred-correct, 

correct-during {s < — f p +1 . ^ < *p’ } 

correct-during-hi-pr: Prove correct _during-hi from correct-during {U «- s} 
correct-during lo_pr. Prove correct.during.lo from correct-during {ti «- 0 
mult.assoc: Lemma x * (y * 2 ) = (x * y) * 2 

mult_assoc-pr: Prove mult.assoc from 

*1 **2 {y *-% j*z], 

★ 1 ★ *2 t 

*1 **2 {x *-y, y *- z }, 

*1 **2 {x <- x*y, y <- z} 

diff-squares: Lemma (1 + p) * (1 - p) — 1 — P * P 

difLsquares-pr: Prove diff.squares from 
distrib {x ♦ — 1, y <— P. z 1 — p}. 
mult.lident {x <— 1 - p}. 
mult-ldistrib-minus {x <— p, y *— 1, z p}- 
mult.rident {x «— p} 


72 


rate_simplify_step_pr: Prove rate_simplify_step from 
mult_com {x «- (S - T ), y «- (1 - p)}, 
mult.assoc {a; «- 1 + p, y \ _ p< z +- S - T), 
diff.squares, 

distrib^minus {x <— 1, y <— p * p. z <_ 5 _ y} 
mult_lident {x <— 5 — 7 1 }, 
pos.product {x <— p*p, y<-S-T}, 
pos_product {x <— p, y <— p y 
rho_0 


rate_simplify_pr: Prove rate_simplify from 
div_ineq 

{z <— (1 + p), 

y <— (S - T), 

x*-(l + p)*(S-T)*(l-p)}, 
div.cancel {x «- (1 + p), y<-(S-T)*( 1 - p)}, 
rhoJD, 

rate_simplify_step 

RATE_ 2 _simplify_pr: Prove RATE_2_simplify from RATE_2, rate_simplify 

iclockJem_pr: Prove iclock Jem from 
iclock.defn, ICIock_defn {t «- ic£(r)}, clock_axl {T <— T - adj l p } 

ICIock.ADJ Jem_pr: Prove ICIock J\DJJem from 
ICIock_defn, ICIock_defn {i <— i - f l}, ADJ*^ 

iclock_ADJJem_pr: Prove iclock_ADJ Jem from 
iclock.defn {T <— T - ADJ p }, iclock^defn {i <— i + 1}, ADJ^\ 

ADJJeml.pr: Prove ADJJeml from 
ADJ Jem2, 

translation Jnvariance {X < /Cj,(^ +1 ), 7 <— Q* p +1 } 

ADJJem2_pr: Prove ADJJem2 from 

ADJl\ , 

adf * ? {i i + 1 }, 

ICIock_defn {t <— £* +1 , i <— ij, 
correct_during_hi {t <— s l p , s <— d +1 } 

End delay 
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B.3 delay2 


delay2: Module 

Using arith, clockassumptions, delay 
Exporting all with clockassumptions, delay 


Theory 


p,q,Pl,q\‘ Var process 
i\ Var event 

delay_pred: function[event — > bool] = 

(A i : (Vp,9 : wpred(z)(p) A wpred(i)(q) D |s p - 
AD_Lpred: function [event -*• bool] = 

(A i : ( V p : z > 1 A wpred(z — 1 )(p) 3 I ADJ p \ 


s l q \<P')) 

< a( [_/?' + 2* A'J))) 


delay-pred Jr: Lemma 

delay _pred(z) 3 (wpred (z)(p) A wpred(z)(q) 3 |s p - s q \ _ p ) 

bnd-delay -offset: Theorem ADJ_pred(z) A delay -pred(z) 
bnd -delay _offset-0: Lemma ADJ_pred(0) A delay _pred(0) 


bnd-delay-offset_ind: Lemma 

ADJ-pred(z) A delay-pred(z) 3 ADJ_pred(z + 1) A delay _pred(z + 1) 

bnd-delay-offset-ind-a: Lemma delay -pred(z) 3 AD_Lpred(z + 1) 

bnd-delay-offset-ind-b: Lemma 

delay -pred(z) A ADJ-pred(z + 1) 3 delay_pred(i + 1) 


good_ReadClock: Lemma 

delay-pred(i) A wpred(z)(p) 3 okay-Readpred(0 ‘ +1 ,0 + 2* A , wpred (*)) 

good_ReadClock_recover: Axiom . , , . , 

delay _pred(z) A rpred(z)(p) 3 okay_Readpred(0 ‘ +1 , 0 + 2* A , wpred (z)) 


delay_prec-enh: Lemma 

delay_pred (t) A wpred (t)(p) A wpred (z) {q) 

D |(4 - 4 ) - (ADJ' p - ADJg)\ <tt(L2 * A' + 2], [0 + 2 * A J) 


delay_prec_enh_stepl: Lemma 

delay -pred(z) A wpred(z)(p) A wpred(t)(?) 

3 I cfn{p, ( A pi : 0 p +1 (Pi) _ ICp(tp +l ) ~ L s pJ)) 

- cfn(q , (A pi : 0’ +1 (pi) - /C* (tj +1 ) - KD)I 
< 7r([2 * A' + 2\,[0' + 2* A'J) 
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delay^prec_enh_stepl_sym: Lemma 

delay.pred(i) A wpred(?)(p) A wpred(i)(g) A ( ADJ * — s l > ADJ i — s* ) 

^ 1 (^- 4 ) -(^- 4)1 9 

< \cfn(p, ( A Pl : 0* +1 (pi) - IC i p {ti +l ) ~ L4J)) 

- cfn(q,(X Pl : 0* +1 (Pl) - - ^]))| 

prec_enh_hypl: Lemma 
delay _pred (i) A wpred(i)(p) A wpred(i)(g) 

D okay.pairs((Ap 1 : ©^(p,) - IC^tf 1 ) - [sjj), 

(API :0i +1 (Pl)-/C^)-r s *l), 

2 * A' + 2, 
wpred(z)) 

prec_enh_hyp_2: Lemma 
delay_pred(i) A wpred(i)(p) 

D okay_Readpred((Ap 1 : Q l p +1 ( Pl ) - IC l {t l „ +1 ) - |s l J) 

0' + 2* A', P 

wpred(i)) 

prec_enh_hyp_3: Lemma 
delay _pred(z) A wpred(i)(</) 

D okay_Readpred((Api : 0* +1 (Pi) - ICUtl + ! ) - |V|) 

0* + 2* A', 
wpred(i)) 

Proof 

delay _pred_lr_pr: Prove delay _pred_lr from delayered 
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delay _prec_enh_stepl_pr: Prove delay _prec_enh_stepl from 
precision _en ha ncement_ax 

{ppred <— wpred(z), 

Y «- \p + 2 * A'J, 

X <— [2 * A' + 2 j , 

7 «- ( A pi : 0 ^ + 1 (Pi) - ICp( tl p +l ) - I4J). 

6 - ( Xpi : ©q +1 (Pi) " - Kl)}. 

prec_enh_hypl, 

prec_enh_hyp_2 f 

prec_enh_hyp_ 3 , 

wpred^ax, 

okay-Read pred _floor 
{ppred <— wpred(i), 

y *-(f + 2* A', 

7 7 @pl}, 
okay -Read pred -floor 

{ppred wpred(i), 

y <—/?'-+- 2 * A', 

7 0@pl}, 

okay-pairsJloor 

{ppred wpred(i), 
x < — 2 * A / 4 " 2, 

7 <— 7@pl t 

<9 4 - 9@pl} 

prec _e n h _hy p _ 2 -pr : Prove prec.enh_hyp _2 from 
good_ReadClock, 
okay.Readpred 

{ 7 - ( A pi : 0p + 1 (Pi) - IC' p (ti +l ) - L4J). 

y <- /?' + 2 * A', 
ppred <— wpred(i)}, 
okay.Readpred 

{7 <— ©p +l , 

y*-p + 2 * A'. 

ppred <— wpred(i), 
l «- l@p2, 
m <— m@p2} 
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prec_enh_hyp_3_pr: Prove prec.enh_hyp_3 from 
good.ReadClock {p «- q j, 
okay^Readpred 

{7-(A P] : e^ +1 (pi) - IC i q {ti+ x )- [41). 
y <— 0 + 2* A', 
ppred <— wpred(z)}, 
okay^Readpred 

{7 «- e* +1 . 

y*~P + 2* A', 
ppred <— wpred(j), 
l <- l@p 2 , 
rn <— m<Up 2 } 

bnd_del_off_0_pr: Prove bnd_delay_offset_0 from 
ADJ.pred {i <— 0}, 
delay^pred {i <— 0}, 

bnd_delay_offJnit {p *- p@p2, q <— q@ p 2} 

bnd_delay_offsetjnd_pr: Prove bnd_delay_offsetJnd from 
bnd_delay_offset_ind a, bnd_delay_offset_ind_b 

bnd.delay.offset pr: Prove bnd_delay_offset from 
induction {prop <- ( A i : ADJ_pred(i) A delay^pred(i))} 
bnd.delay.offset.O, 
bnd.delay.offset.ind {i <— j@pl] 

a, b , c, e, /, 9, h: Var number 

abs.hack: Lemma | a — 6| 

- I R “ /I + l(° ~ c )~(d- e)| + |(6 - c ) - (d - /)| 

abs_hack_pr: Prove abs hack from 

abs.com {x <— /, y ♦— e \, 
abs-com jx «- (d - /), y <_ (ft _ c )}_ 

abs_plus 

{*«-(/- e). 

y «- ((a -c)-(d~ «)) + ((d - /) - (6 - c))}, 
abs_plus { X ^ ( (a - c) - (d - e)), j, «- ((d - /) - (ft _ c )) } 

abshack2: Lemma |a| < ft A |c| < d A |e| < d D |a| + |c| + |e| < ft + 2 * d 

abshack2_pr: Prove abshack2 
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good.ReadClock.pr: Prove good.ReadClock from 
okay.Readpred 

{7 <— ©p +1 , 

y «— /3' + 2 * A', 

ppred *— wpred (i)}, 
delay.pred {p *— l@pl, q *— m@pl}, 
delay.pred {y <— l@pl}, 
delay.pred { q <— ra@pl}, 
reading_error3 {q <— /@pl}, 
reading.error3 {q <— m@pl}, 
abs.hack 

{a — ©* +1 (/@p 1), 
b <— 0p +1 (m@pl), 

d*~ 4, 

e s (@pi- 
/" * ^m@pl } ’ 


abshack2 

{a *— e@p7 — /@p7, 

c «- ((a@p7 - c@p7) - (d@p7 - e@p7)), 


d — A', 

e «- ((b@p7 - c@p7) - (d@p7 - /@p7))}, 
good.read.pred.axl {y <— f@pl}, 
good.read_pred.axl {y <— m@pl}, 
wpred .fixtime, 
wpred.fixtime {p <— /@pl}, 
wpred -fixtime {p <— m@pl}, 
betaread_ax 
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bnd_deLoff_ind_a_pr: Prove bnd.delay.offset.ind_a from 
ADJ_pred {i <— i + 1} ( 

ADJJem2 {p < — p@pl}, 
accuracy_preservation^ax 

{ppred <— wpred(i), 

0! +1 


7 < 
P 4 
Q 4 


J pUp\ ’ 

■ p@pl, 

p@pl, 

- ip' 


2 * A'J }, 


wpred_ax, 

read_self {p <-p@pl}, 
good_ReadClock {p <— p@pl}, 
wpred_fixtime {p p@pl} ( 
okay_Readpred_floor 
{ppred <— wpred(i), 

7 <— 7@p3, 

V+-P + 2 * A 7 } 


abshack4: Lemma a — b > c — d 

D\(a-b)-(c-d)\< |(a - |6J) - (c - [d])| 

floor.hack: Lemma a — \ b\ > a — b 

floor_hack_pr. Prove floor.hack from floor_defn {x «- 6} 

ceiLhack: Lemma c — d > c — [d] 

ceil_hack_pr: Prove ceiLhack from ceiLdefn {x <- d} 

abshack4_pr: Prove abshack4 from 
abs_geO {x <- (a - b) - (c - d)}, 
abs-geO {x «- (a - |6J) - (c - fdl)}, 
floor.hack, 
ceiLhack 


X. Var Clocktime 

ADJ^hack: Lemma wpred(i)(p) 

3 ADJ l p -X = cfn(p, (Xpi : ©£ +1 (p x ) - /Cj,(t' +1 ) - X)) 

ADJ_hack_pr: Prove ADJ.hack from 
ADJ Jeml, 

tran slat ion _in variance 

{7 <- (A pi -> Clocktime : ©* +1 ( Pl ) - IC^t^)), 

X * X }, 

wpredjfixtime 
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delay-prec.enh_stepl-sym-pr: Prove delay _prec-enh_stepl_sym from 

ADJ-hack {X <— L s pJ)* 

ADJ-hack {p <— q, X f<Sql } . 

abshack4 {a 4 - ADJj,, b 4 - 4 , c 4- ADJ\, d - 4 } 

abshack5: Lemma \{(a - b) - (L C J - d)) - ((e - /) - (Isl d ))l 

< | (a - b) - (|cj - <01 + l( e “ /) “ (^1 - d )\ 


abshack5-pr: Prove abshack5 from 
abs.com {x <— e — /, y ^ \d 1 — 
abs_plus {x <— (a — b) — (|cj — <0> ?/ 


(TpI - rf) - (e - /)} 


absfloor: Lemma |a — [b\ \ < |a b\ + l 


absceil: Lemma \a - [i>l | < !«■ ~ b \ + 1 


absfloor _pr: Prove absfloor from 
floor_defn {x <— b}, \ * 1| {x ♦— a - 


L^j }, |*1| {x^-a-b} 


absceiLpr: Prove absceil from 

ceiLdefn {x-b}.|*l| {x — a - f&l). I * M {* - “ " 6 ) 

abshack6a: Lemma |(a - b) - (W - <01 < l(« " 6 ) - < c ~ d >l + 1 

abshack6b: Lemma |(e - /) - (fsl “ d )\ < l( e - f) ~ {9 ~ d ) I + 1 


abshack6a_pr: Prove abshack6a from 
absfloor {a <— (a - b) + d, b c}, 
abs_plus {x <— (o — b) — (c — d), y *— 1}. 
abs_ge0 {x <— 1} 


abshack6b_pr: Prove abshack6b from 
absceil {a<— (e - f) + d, b <— g }, 

abs.plus {x <— (e — /) — (.9 — < 0 > V 
abs_geO {x <— 1} 


abshack7: Lemma \{a -b)-{c-d)\<h A |(e /) {g <01 ‘ < ■ h 

D | ((a - 6) - (|cj - d)) - ((e - /) - (M - <0)1 < 2 * ( fc + 1) 


abshack7_pr: Prove abshack7 from abshack5, abshackba, abshackbb 
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prec_enh_hypl_pr: Prove prec_enh_hypl from 
okay_pairs 

bMApi 

o^(x P ,:e i q +l (Pi)-ic i q (ti +l )-\si 1 ]) t 

x *— 2 * (A 1 + 1), 

ppred <— wpred(i)}, 
delay.pred {q^~p^@pl}, 
delay_pred {p <— q f q<—pz@pl}, 
reading_error3 {q <— p 3 @pl}, 
reading_error3 {p <— q, q <— p 3 @pl}, 
good.read pred_axl {q <— p 3 @pl}, 
good_read_pred_axl {p <— q, q <— p 3 @pl}, 
abshack7 


{a <- 0' +1 (p.}@pl), 

r* * — 


e^Q' q +l (P 3©pl). 

/ - 
9 Sg, 
h «- A'}. 
wpred_fixtime, 
wpred _fixtime {p <— q }, 
wpred.fixtime {p <— £> 3 @pl}, 
betaread.ax 


abshack3: Lemma | (a — b) — (c - d)\ = \(c — a) — (d - 6 )| 

abshack3_pr: Prove abshack3 from abs.com {x +— a - b, y +— c — d} 

delay.prec.enh.pr: Prove delay.prec.enh from 
delay.prec.enh.stepl , 
delay.prec.enh.stepl {p <— q, <7 <— p}, 
delay_prec_enh.stepl.sym, 
delay_prec_enh_stepl_sym {p <— q f q <— p}, 
abs.com {x +- ADJ p - 5 z p , y <— ADJ l q - s^}, 
abshack3 {a <- sj,, b <- a* , c <- AZWj, rf <- i4A/j} 

End delay 2 
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B.4 delay3 

delay3: Module 

Using arith, clockassumptions, delay2 
Exporting all with clockassumptions, delay2 
Theory 


P,q,Pi,Qi- Var process 
i: Var event 
T: Var Clocktime 

good-interval: function [process, event, Clocktime — > bool] = 

(A p,i,T : (correct_during(p,Sp, ic* +1 (T)) AT - ADJ p > S l ) 

V (correct_during(p, tc* +1 (T),Sp) A 5* > T - ADJ p )) 

recovery .lemma: Axiom 

delay_pred(i) A ADJ_pred(f + 1) 

A rpred(z)(p) A correct_during(p, t p +1 ,t p +2 ) A wpred(i + 1 ){q) 

d I4 +1 -4 +l i <P 

good_interval_lem: Lemma 

wpred(i)(p) A wpred(i + l)(p) A ADJ_pred(i + 1) D good_interval(p,i,5 t+1 ) 

betaprime.ax: Axiom 

4 * p ★ (R 4 a( \J0 f 4 2 * A'J)) 4- 7r( [2 * (A' 4 1)J , \J0 f 4 2 * A'J ) < 0 

betaprime_ind_lem: Lemma 
ADJ_pred(i 4 1) A wpred(i)(p) 

D 2 * p* (R 4 oc([0 f 4 2 * A'J)) 4 7r(|_2 * (A' 4- 1)J , [0 f + 2 * A'J) < 0 f 

betaprimeJem: Lemma 

2 * (ij + a(L/3' 4 2 * A'J)) 4 tt(L2 * (A' 4 1)J, [0' 4 2 * A'J) < 0' 

R_0Jem: Lemma wpred(i)(p) A ADJ_pred(i 4 1) D R > 0 

bound_future: Lemma 

delay_pred(i) A ADJ_pred(i 4 1) 

A wpred (i)(p) 

A wpred (i)(g) A good Jnterval(p, i, T) A good .interval^, i, T) 
D|i4 +1 (T)-f4 +1 (T)| 

< 2 * p* (|T - 5*| + a(L/?' + 2 * A'J)) 

+ 7r([2*(A' + l)J,L/?' + 2*A'J) 

bound-futurel: Lemma 

delay pred(i) A ADJ.pred(i + 1) A wpred(i)(p) A good_interval(p, i, T) 

D | K(T - ADJ' p ) - 4) - (T - AT>4 - 5*)| 

<p*(|T-5*| + a(Ld' + 2*A'J)) 
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bound_futurel_step: Lemma 

delay _pred(f) A ADJ_pred(i + 1) A wpred(f)(p) A good .interval (p, i, T) 

D I K(T - ADJ l) - 4) - (T - AD,P p - 5 l )| <p*(\T- ADJ* - S*|) 

bound.FIXTIME: Lemma 
delay.pred(i) A ADJ.pred(i + 1) 

A wpred(f)(p) 

A wpred(i)(<7) 

A good Jnterval(p, i, S i+1 ) A good .interval^. i, 5 l+I ) 

^ I4 +1 - 4 +1 1 < & 

bound. FIXTIME2: Lemma 

delay.pred(i) A ADJ_pred(f + 1) A wpred(i)(p) A wpred(i)(g) 

D (wpred(f + l)(p) A wpred(i + 1)( 9 ) 3 _ a <+l| < p>) 

delay .offset: Lemma wpred(f)(p) A wpred (f)( 9 ) 3 I4 - | < p' 

ADJ.bound: Lemma wpred(f)(p) 3 \ADJ x p | < a( [(3' + 2* A'J) 

Alpha.O: Lemma wpred(f)(p) 3 <*([/?' + 2 * A'J) > 0 

Proof 

ADJ_pred_lr: Lemma 

ADJ_pred(i + 1) 3 (wpred(f)(p) 3 \ADJ l p \ < <*([/?' + 2 * A'J)) 

ADJ.pred Jr.pr: Prove ADJ.pred.lr from ADJ.pred {i <— i + 1} 

betaprime.ind.lem.pr: Prove betaprimeJndJem from 
betaprime^ax, 

pos.product {x «- p, y <- R + a {\p + 2 * A'J)}, 
rho_0, 

R.FIX.SYNC.O, 

FIX.SYNC, 

ADJ_pred_lr, 

l*l| {x^ADP p } 

betaprime_lem_pr: Prove betaprimeJem from 
betaprimeJndJem {p *— p@p4}, 
bnd_delay_offset {i +— i + 1}, 
wpred.ax, 

count.exists {ppred <— wpred(f@pl), n <— A'J, 

IM.maxfaults 

delay .offset.pr: Prove delay.offset from bnd.delay .offset, delay.pred 

ADJ.bound.pr: Prove ADJ.bound from 

bnd.delay.offset {i <- i + 1}, ADJ.pred {i <- i + 1} 
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oi,6i,ci,di: Var number 

abs-O: Lemma |ai| < bi D bi > 0 

abs.O.pr: Prove abs-0 from | * 1| {x *- 01 } 

Alpha_0_pr: Prove Alpha.O from ADJ-bound, | * 1| {x ADJ p } 

RJLhack: Lemma wpred(z)(p) A ADJ_pred(z + 1) D S l+l - S l > 0 

R_0_hack-pr: Prove R.OJiack from 
ADJ-pred {i <— i + 1}, 

FIXTIME.bound, 
wpred_hi_lem, « 

absJD {fli «- ADJ;, bi «- a( [p 1 + 2* A'J)} 

R_0Jem_pr: Prove R_0Jem from R_0_hack, S* 1 , S* 1 {* <— i + 1} 
abshack-future: Lemma |(oi - h) - (ci - di)\ = |(ai - c\) - ( b\ - di)\ 
abshack_future_pr: Prove abshack -future 
abs-minus: Lemma |ai — b\\ < |ai| + \b\\ 

abs_minus-pr: Prove abs_minus from 

| ★ 1| {x <— ai — bi}, | ★ 1| {x <- g-i}, | * 1| { x ^ 1 } 

bound_futurel_pr: Prove bound_futurel from 
bound.futurel-Step, 

abs_minus {ai < — T — S i , b\ ADJ p }, 

ADJ-pred {i <— i 4* 1}. 
mult_ieq_2 
{z <- p, 

y 4 — \T- ADJ l v -S l \, 
x \T — S i \ + oc([(3 f + 2 * A'J)}, 

rho_0 


bound_futurel_step_a: Lemma 

correct.during(p, iCp(T - ADJp),s l p ) A S % >T - ADJ ] 


D 


| (icUT - ADJ l p ) - 4 ) - (T - ADJp - 5 { )| <p*{\T- ADJ l p S 2 |) 


bound_futurel_step_b: Lemma 

correct-during(p, 8p,iCp(T — ADJp)) AT — ADJp > 5* 

3 |(j(d (T - ADJp) - »y - (T - -'1 0./;, - s*)| < p* (|T - .'1 O',, s |) 
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bound_futurel step_a^pr: Prove bound_futurel_step_a from 

RATE_lemma2Jclock {T <— T - ADJL S <- S 1 }, 
s *2 

abshack_future 

{ai ic^T - ADJ l p ), 

6] - x 


P' 

ci <- T - 

rfi -S*}, 

abs-com {x <- 
abs_com {;r <- 




cii@p3 — ci@p3, y <- 
T@pl, y <— S@pl} 


b\@p3 — d[@p3}, 


bound_futurel_step_b_pr: Prove bound_futurel_step_b from 
RATE_lemma2_iclock {5 <— T — ADJ 1 T <— S 1 }, 


c*2 

6 *1 


abshackJuture 

{ax ic),(T - ADJ; 


c 1 
di 


T — ADJ, 


S 1 } 


p r 


bound_futurel_step_pr: Prove bound futurel.step from 

good .interval, bound futurel.step.a, bound.futurel_step_b, iclock_ADJ_lem 

good-interval. Iem_pr: Prove good_interval_lem from 
good-interval {T <— *S' zH “ 1 } , 

«*? {*•'-* + 1}, 

wpred_fixtime, 

wpred Jixtime_low {i <— i + i}. 
correct_during_trans {< «— s p , t 2 <— t p +l , s <— Sp +1 }, 
wpred JiiJem, 

FIXTIMEJjound, 

ADJ_pred {i <— i + 1}, 

| * 1| {x *— ADJ p ) 

bound_FIXTIME2_pr: Prove bound_FIXTIME2 from 

bound_FIXTIME, good_interval Jem, good_intervaLlem {p <— q } 

bound FIXTIME_pr: Prove bound_FIXTIME from 
bound_future {T <— 5 J+l }, 

S *> , 

S* 1 {i^i + 1}, 
abs_geO {x <— /?}, 

R_0Jem, 

• s *i {? p@pl. i <— i + 1}, 
s*f {p +— q@pl , i <— i + 1 } , 

betaprimeJnd Jem 
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bnd_delay_offsetJnd_b_pr: Prove bnd -delay-offset Jnd_b from 
bound_FIXTIME2 {p p@p2, q q@p2} t 
delay_pred {*-« + !}. 
delay-pred {p <— p@p2, q <— q@p2} f 
recovery Jemma {p *— p@p2 , q <— g@p2}, 
recovery _lemma {p <— q@p2 , q *— p@p2}, 
abs.com {x <- s^' p2 , y s‘@ p2 }, 
wpred_preceding {p <— p@p2}, 
wpred_preceding {p <— q@p2} t 
wpred -correct {£ <— i + 1, p <— p@p2} ( 
wpred_correct {i <— i + 1, p <— <?@p2} 

a, 6, c, <f, e, /, g, h, aa, bb: Var number 

abshack: Lemma | a — b\ 

<\(a-e)~ (c- f - d)\ + \{b- g) - (c- h- d) \ 

+ \(e-g)~(f ~h)\ 

abshack2: Lemma |(a — e) — (c — / — d)\ < aa 

A \{b - g) - (c - h - d)| < aa A |(e - g) - (/ - h)\ < bb 
D |a — 6| < 2 * aa + bb 

abshack2_pr: Prove abshack2 from abshack 

abshack_pr: Prove abshack from 

abs.com {x b — g t y c — h — d} } 

abs.plus {x <— (a — e) — (c — / — d), y <— (c — h — d) — (b — g)} t 
abs_plus {x x@p2 + y@p2, y <— (e — g) — (/ — /i)} 

bound_future_pr: Prove bound-future from 
bound_futurel, 
bound-futurel {p <— q} } 
detay_prec_enh, 
icIock-ADJ-lem, 
iclock_ADJ Jem {p <— q}, 
abshack2 

{a - <4(T - ADJ*), 

b <— iCq(T — ADJ*), 

c^T, 
d *— S\ 

e — 8*,, 

f - AM*, 

9 «- s\, 

h <- ADJ*, 

aa ^p*(\T-S l \ +a([/3' + 2* A'J)), 
bb — tt([2 * (A' + 1)J, [/?' + 2 * A'J)} 

End delay3 
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B.5 delay4 

delay4: Module 

Using arith, clockassumptions, delay3 
Exporting all with clockassumptions, delay3 
Theory 

PiQiPuQi- Var process 

i: Var event 

X, 5, T: Var Clocktime 

s , t, t\, t<i'. Var time 

7: Var function[process — > Clocktime] 

ppred, ppredl: Var function [process — > bool] 

optionl, option2: bool 

optionl_defn: Axiom 

optionl D T* +i = (i + l) * R + T° A (0 = 2 * p* (R — (S° — T 0 )) + 0') 

option2_defn: Axiom 

option2 D T p +1 = (i + 1) * R + T° - ADJ 1 
A (0 = 0' -2 *p*(S°-T°)) 

options_disjoint: Axiom -i(optionl A option2) 

optionl_bounded_delay: Lemma 

optionl A wpred(i)(p) A wpred(i)(<7) D \t p l - t l q +1 \ < 0 

option2_bounded_delay: Lemma 

option2 A wpred(i)(p) A wpred(i)(g) D |£' +1 — <‘ +1 | < 0 

option l_bounded_delayO: Lemma 
optionl A wpred(0)(p) A wpred(0)(g) D \t p - t q \ < 0 

option2_bounded.delay0: Lemma 
option2 A wpred(0)(p) A wpred(0)(9) 3 - f°| < 0 

option2_convert_lemma: Lemma 

{0 = 0' — 2* p* (5° - T 0 )) 

D 2 *p* ((R - (S° - T <>)) + «([/?' + 2 * A'J)) 

+ 7r( [2 * (A' + 1)J , [/?' + 2 * A'J ) 

<0 

option2_good_interval: Lemma 

option2 A wpred(i)(p) ^ good_interval(p, i, (i + 1) * R + T°) 

options_exhausted: Axiom optionl V option2 
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Proof 


rts_2_hi_pr: Prove rts.2-hi from 

options.exhausted, optionl.bounded-delay, option2_bounded_delay 

optionl_bounded_delayO_pr: Prove optionl-bounded-delayO from 
bnd_delay_init, 
option 1-defn, 

pos_product {x *— p, y S° -T }, 
pos.product {x <— p, y <— R — ( S° — T 0 )}, 

R-FIX-SYNC.O. 

FIX-SYNC, 

rho_0 

option2_bounded_delay0-pr: Prove option2_bounded_delay0 from 
bnd_delayJnit, option2-defn 

option 1 -bounded -delay _pr: Prove optionl_bounded-delay from 
RATEJemmal-iclock {5 <- (i + 1) * R + T°- T s '}' 

S * 1 , 

delay ^offset, 

wpred _fixti me, 

wpred -fixtime {p <— <?}- 

synctime.defn, 

synctime_defn {p <— q}, 

~*2 
5 *i « 

S* 1 {p 9}- 

optionl_defn t 
optionl-defn {p <— q}, 

R-FIX-SYNC-O, 

optionl_defn 

option 2 _good_interval_pr: Prove option2_good_interval from 
good_interval {T t; + 1 + 
wpred -fixtime, 
wpred-hiJem, 
rts_new_l, 

icIock-ADJJem { T «— T@pl}, 
synctime-defn, 

Alpha-0, 

option2_defn 
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option2_convert Jemma _pr: Prove option2_convertJemma from 
betaprimeJem, 
multJdistrib_minus 

{x «- p, 


y «- R + a([(3' + 2* A'J), 
2 «- (S’ 0 - T 0 )} 


option2.bounded_delay_pr: Prove option2_bounded_delay from 
option2_convert_lemma f 
option2_good_interval, 
option2_good_interval {p <— q}, 
bound_future {T (i + 1) * R + T 0 }, 
option2_defn, 
option2_defn {p <— q }, 
iclock_ADJ_lem {T <— T@p4}, 
iclock_ADJ_lem {T <— T@p4, p <— <7}, 
synctime_defn, 
synctime_defn {p <— q }, 

S* 1 , 

R_0Jem, 
bnd_delay_offset, 
bnd_delay_offset {i <— i + 1}, 
abs_geO {x <- (R - (S° - T 0 ))}, 

R_FIX_SYNC_0, 

option2_defn 


End delay4 
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B.6 newJbasics 


new_basics: Module 

Using clockassumptions, arith, delay3 

Exporting all with clockassumptions, delay3 

Theory 

p,q : Var process 
i, j, k: Var event 
x,y,yi,V 2 ,z : Var number 
r,s,t,ti,t 2 '. Var time 
X, F: Var Clocktime 

(★1 *2) [*3] : Definition function [process, process, event -> process] = 

( A p, q, i : ( if t), > t l q then p else q end if)) 

maxsync.correct: Lemma correct (p, s) A correct^, s) D correct((p 1) ?)[*],«) 

minsync: Definition function[process, process, event -> process] = 

(\p,q,i: ( if fp > fj, then q else p end if)) 

minsync_correct: Lemma correct(p, s) A correct(<p s) D correct((p 1) ?)[*]> s ) 

minsync.maxsync: Lemma ^(pjj. g )[ t ] — ^(pfrq)[«] 

t* 3 i2 ; Definition function [process, process, event — <• time] = 

delay_recovery: Axiom 

rpred(i)(p) A wvr_pred(i)(g) D |fp +1 - t q +1 1 < 0 

rtsO.new: Axiom wpred(i)(p) 

D t^ +1 — f j, < (1 + p)*(R + oc{[0' + 2* A'J)) 

rtsl.new: Axiom wpred(i)(p) 

D (( R — a(\J3' + 2 * A'J))/(1 + p )) < tp +1 - tp 

nonoverlap: Axiom 0 < (( R — ol{\_0' + 2* A'J))/(1 + p)) 

lemma.l: Lemma wpred(i)(p) A wpred(i)(q) D t p < t q 

lemma_l J.: Lemma wpred(f)(p) A wpred(i + l)(g) D tp < fq +1 

lemma_l_2: Lemma wpred(i)(p) A wpred(i 4- l)(q) 3 tp +1 < tq +2 

lemma_2 _1: Lemma correct (q, t* +1 ) 

D IC l q +l (t' q +l ) = cfn(q, 0q +1 ) 
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rts_2Jo_i: Lemma 

wpred(i + 1 )(p) \ wpred(z + l)(q) D |^ +1 - ^ +1 | < (3 

rts_2_lo_i_recover: Lemma 

rpred(z)(p) A wpred(i + l)(g) D \t p +1 - t q +l \ < f3 

synctime_monotonic: Axiom i < 3 => t\ < t{ 

working_clocks_lo: Lemma 

wpred(z + l)(p) A t p +1 < t A wpred(i)(g) D t\ < t 

working_clocks_hi: Lemma 

wpred(i)(p) At < t l p +l A wpred(i + l)(g) D t < t l q + 2 

working_clocksJnterval: Lemma 
2 > 0 A wpred(i)(p) 

A wpred(j)(g) A t l p < t A t < t p +l A t J q < t A t < t^ +1 
Dt \- 1 <^ +1 


Proof 

working_clocks_lo_pr: Prove working_clocks_lo from 
lemma_l_l {p *— q, Q p} 

working_clocks_hi.pr: Prove working_clocks_hi from lemma_l_2 

rts_2Jo_Lrecover pr: Prove rts_2_lo_i_recover from 

delay_recovery, wpred_preceding {p q}, wvr_pred { p <— q } 

rts_2JoJ_pr: Prove rts_2Jo_i from 
rts_2_lo_i_recover, 

rts_2_lo i ^recover {p <— q, q <— p} , 
abs.com {x <— i* +1 , y <- 
rts_2_hi p 

wpred_preceding, 
wpred_preceding {p <— q} 

rts_2_lo_pr: Prove rts_2Jo from rts_2Jo_i {i <— pred( 2 )}, bnd_delay_init 

maxsync_correct_pr: Prove m a xsync .correct from (*1 ff*2)[*3] 

minsync_correct_pr: Prove minsync_correct from minsync 

minsync_maxsync_pr: Prove minsync_maxsync from minsync, (*1 ff*2)[*3] 

lemma^l proof: Prove lemma_l from 

rts_2_hi, rtsl_new, | ★ 1| {x <— t* +1 — ^ +1 }, nonoverlap 



lemma_2_l_proof: Prove lemma_2_l from 
ICIock_defn {p <— q t i <— i + 1, t <— £* +i }, 
{t «— i + 1, p <- q} 

lemma_l_l_proof: Prove lemma_l_l from 
rts_2_hi, 

wpred_preceding {p <— q}, 
delay -recovery {p q, q <— p} t 
abs_com {x <— t^ 1 , p £* +1 } t 
wvr_pred, 

i * i | {*«-^ +1 -« j +1 }. 

rtsl_new, 

nonoverlap 

lemma_l_2_proof: Prove lemma_l_2 from 
rts_2„hi, 

wpred-preceding {p <— g}, 
delay.recovery {p g, q <— p}, 
abs.com {x *- i* +1 t y <- £* +1 }, 
wvr.pred, 

|* 1 | { x ^^ 1 

rtsl.new {p <— g, i i + 1 }. 

nonoverlap 

End new.basics 
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B.7 rmax_rmin 

rmax_rmin: Module 

Using clockassumptions, arith, delay4, new.basics 

Exporting all with clockassumptions, delay4 

Theory 

p, </: Var process 
i. j,k: Var event 
x ^y^y\^y‘ 2 , Var number 
r, ,s, t,, <1 . t 2 '. Var time 
X,Y: Var Clocktime 

rmax^pred. function [process, event — > bool] = 

(A p,i : wpred (i)(p) 

D f P + ‘ tp < (1 + P) *(/? + a(L/?' + 2 * A'J))) 

rmin.pred: functionfprocess, event — + bool] = 

(A p,i : wpred (i)(p) 

((R ~ a (\.P + 2 * A'J))/(] + p)) < tp +l — tp) 

ADJ_recovery: Axiom optionl A rpred(i)(p) D |AZ),/^| < a([^' + 2 * A'J) 

rmaxl: Lemma optionl D rmax_pred(p, i) 

rmax2: Lemma option2 D rmax^pred(p, i) 

rminl: Lemma optionl D rmin.pred (p,i) 

rmin2: Lemma option2 D rmin.pred (p,i) 

Proof 

rtsO new_pr: Prove rtsO.new from options_exhausted, rmaxl, rmax2, rmax.pred 

rtsl.new^pr: Prove rtsl.new from options.exhausted, rminl, rmin2, rmin^pred 

rmin2 0: Lemma option2 D rmin_pred(p, 0) 

rmin2_plus. Lemma option2 D rmin_pred(p, i + 1) 

rmin2 pr: Prove rmin2 from rmin2_0, rmin2_plus {i «- pred(i)} 
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rmin 2 _ 0 _pr: Prove rmin 2_0 from 
rmin.pred {i +— 0 }, 
synctimeO.defn, 
synctime.defn { i <— i@pl}, 
option 2 _defn {i <— i@pl}, 


R_ 0 , 

RATE-2 Jclock {i <- S <- 

wpred .correct {i 




y 

X 


(1 + p) i 

R - ADJ l p , 

-a- «([/?' + 2 *A'jy 




rho.O, 

ADJ.bound {i <— i@pl}. 
|*1| {x^ ADjf pl }, 
R-bound {i *— i@pl}. 
wpred-hiJem {i <— i@pl} 
Alpha -0 {i «- t@pl} 


T <- T 0 }, 


rmin2_plus-pr. Prove rmin2_plus from 
rmin-pred {i +— i + 1 }, 
synctime_defn, 
synctime_defn {i <— i@pl}, 
option2_defn {i <— i}, 
option2_defn {i <— i@pl}. 


R- 0 , 

RATE_2_iclock 

{i <— i@pl, 

g ^ >jn@pl + l 

t - t; & p1 + adj i p }, 

wpred .correct {i <— i@pl}, 

divJneq 

(z-(l + p). „ 

y+-R-ADjf P \ 
x < — R — ot( \_(3' + 2 * A J ) } , 
rho.O, 

ADJ-bound { i <- z@pl}. 

1*11 {x ♦— ADJp® pl }, 

R_bound {i <— t@pl}, 
wpred-hiJem {i <— i@pl}, 

Alpha.O {i <— i@pl}. 

irlock ADJ Jem f «- T*® p 1 + ADJ p } 


rmax 2 - 0 : Lemma option 2 D rmax.pred(p, 0 ) 
rmax 2 _plus: Lemma option 2 D rmax_pred(p, i + 1 ) 
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rmax2_pr: Prove rmax2 from rmax2_0, rmax2.plus {i «- pred(i)} 

rmax2_0_pr: Prove rmax2_0 from 
rmax_pred {i <— 0}, 
synctimeO_defn, 
synctime_defn { z <— z@pl}, 
option2_defn {i <— z@pl} 

R.0, 

RATE.l.iclock { z <— S <— T *® pl + 1 T <— T 0 } 

wpred.correct {z <— z@pl}, ' 1 

mult_leq_2 
{z <— (1 + p) t 
y^R - ADJ^ pl , 
x <- R + a([0' + 2* A'J)}, 
mult_com { x <- (7£®pi+l - T°), y <- ( 1 + p)}, 
rho_0, 

ADJ.bound {i <— 
l*l| {x ^ ADJ^P 1 }, 

R.bound {i <— z@pl}, 
wpred.hi Jem {i +— i@pl}, 

Alpha.O {i <— z@pl} 

rmax2_plus_pr: Prove rmax2_plus from 
rmax.pred {<- < + l}. 
synctime_defn, 
synctime_defn {i <— i@pl}, 
option2_defn, 
option2_defn {z <— z@pl} 

R_0, 

RATE_l_iclock 

{i <— z@pl, 

Cjt + + l 

T - 

wpred .correct {z <— z@pl}, 
mult_leq_2 
{z *— (1 + p), 

V R- ADJ** 1 , 
x^ R + a ( [/?' + 2* A'J)}, 

mult.com {x «- ( 7 £@pi+i _ (7 n%i + y4DJ n )| (1 + )} 
rho.O, p v P7/l 

ADJ.bound {z <— z@pl}, 
l*l| {x *- 2lDj;®P'}, 

R.bound {z <— z@pl} t 
wpred.hi.lem {z <— z@pl}, 

Alpha.O {i <- z@pl}, 

iclock.ADJ.lem {z <- z, T <— 7^®P 1 + AZJJ*} 
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rminl-O: Lemma option 1 D rmin-pred(p, 0) 

rminl-plus: Lemma optionl D rmin-pred (p,* + 1) 

rminl-pr: Prove rminl from rminl_0, rminl.plus {z <- pred(?)} 


rminl-0-pr: Prove rminl-0 from 
rmin-pred {i 0}, 
synctimeO_defn, 
synctime_defn { i z@pl}. 
optionl-defn { i * i@pl}, 


R_0, 

RATE_2Jclock {i <- i@pE S <- 
wpred_correct {i i@pl}» 
Alpha_0 {i <- 
divJneq {z (1 + p)> V 
rho-0 


'Y' 4 , 


x <— R — ^ * ^J)l 1 


rminl-plus-pr: Prove rminl .plus from 
rmin.pred {z <— i + 1 } . 
synctime_defn, 
synctime.defn {i z@pl}, 
optionl-defn, 
optionl-defn {z * z@pl}. 


R_0, 

RATE-2 Jclock 

{z 1— i@pl, 

T «- T^ pl + AD J l p }, 

wpred_correct {z z@pl}. 
AlDha.O {z <- z@pl}. 


div_ineq 

{z- (l + p). 
y < — R — ADJp, 
x <-R-a{\P' + 2*A'J)}. 


rho_0, 

R-bound {z <- z@pl}, 
wpred-hi-lem {z * z@pl}, 

| * 1| {x <— ADJp}, 

ADJ-recovery, 

ADJ-bound, 

wpred_preceding, 

icIock-ADJJem {T - Tf p 1 + ADJp] 


rmaxl-0: Lemma optionl D rmax_pred(p,0) 
rmaxl-plus: Lemma optionl D rmax- P red(p,z + 1) 
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rmaxl.pr: Prove rmaxl from rmaxl.O, rmaxl.plus { i <— pred(i)} 

rmaxl_0_pr: Prove rmaxl.O from 
rmax.pred { i <— 0}, 
synctimeO_defn, 
synctime_defn { i <— 
optionl.defn { i <— 

R_0, 

RATE.l.iclock {i *— i@pl, S <— T i&pl+] ( j 1 j’Oj 
wpred .correct {i <— i@pl}, 

Alpha.O {i f— z@pl}, 

multJeq.2 {* «- (1 + p ), y _ Ri x _ R + + 2 * A'J)}, 

mult.com {x — (r; ?< P 1+1 - T°), y <- (1+ p)}, 

rho_0 

rmaxl_plus-.pr: Prove rmaxEplus from 
rmax_pred {<«-< + !}. 
synctime_defn, 
synctime_defn {i <— 
option l„defn, 
optionl_defn {i <— z@pl}, 

R_0, 

RATE.l Jclock 

{z <— i @p 1 , 
g 4 yzsipi+i 

r +- 7)',' lpl + ad j *}, 

wpred.correct (z <— i@pl}, 

Alpha.O {z <— z@pl}, 
mult.leq .2 

{z <— (1 + p), 

V+-R- ADJ p , 
x +- R + a (lj3’ + 2* A'J)}, 

mult.com {x «- (7}f pl+1 - (T^ pl + ADJ l p )), y +- { 1 + p )}, 
rho_0, 

R_bound {z <— z@pl}, 
wpred_hi_lem {z *- z@pl}, 

| * 1| {x 4 - ADJ l p }, 

ADJ_recovery, 

ADJ_bound, 
wpred preceding, 

iclock_ADJ Jem {T <— T^ pl + ADJ^} 

End rmax.rmin 
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Appendix C 

Fault- Tolerant Midpoint Modules 


This appendix contains the Ehdm modules and proof chain analysis showing that the 
properties of translation invariance, precision enhancement, and accuracy preservation 
have been established for the fault-tolerant midpoint convergence function. In the interest 
of brevity, the proof chain status has been trimmed to show just the overall proof status 

and the axioms at the base. 


C.l Proof Analysis 

(3.1.1 Proof Chain for Translation Invariance 

Terse proof chain for proof ft_mid_trans_inv_pr in module mid 


The proof chain is complete 

The axioms and assumptions at the base are: 
clocksort . f unsort_trans_inv 
division .mult_div_l 
division . mult_div_2 
division . mult_div_3 
f loor_ceil . f loor.def n 
f t_mid_assume . No _ authentic at ion 
Total: 6 
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C.1.2 Proof Chain for Precision Enhancement 


Terse proof chain for proof f t_mid_precision_enhancement_pr in module mid3 


===s=============== SUMMARy ============!======3::=as 

The proof chain is complete 

The axioms and assumptions at the base are: 
clocksort . cnt_sort_geq 
clocksort . cnt_sort_leq 
division . mult_div_ 1 
divi s ion. mult _div_2 
division . mult_div_3 
f loor_ceil . ceil_defn 
f loor_ceil . f loor_def n 
f t_mid_assume . No_authent ication 
multiplication . mult_non__neg 
multiplication . mult_pos 
noetherian[EXPR, EXPR] . general_induct ion 
Total: 11 


C.1,3 Proof Chain for Accuracy Preservation 


Terse proof chain for proof f t_mid_acc_pres_pr in module mid4 


===== ============= SUMMARY ================== 

The proof chain is complete 

The axioms and assumptions at the base are: 
clocksort . cnt_sort_geq 
clocksort . cnt_sort_leq 
clocksort . funsort_ax 
divis ion. mult _div_l 
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division . mult_div_2 
division. mult _div_3 
f loor.ceil . f loor.def n 
ft mid_assume . No_authent ication 
multiplication .mult_pos 

noetherian [EXPR , EXPR] .general.induction 
Total: 10 
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C.2 mid 

mid: Module 


Using arith, clockassumptions, selecbdefs, ft_mid_assume 

Exporting all with select„defs 

Theory 

process: Type is nat 

Clocktime: Type is integer 

l,rn,n,p,q : Var process 

tf: Var function [process — > Clocktime] 

hj, k\ Var posint 

T, X, Y 1 Z: Var Clocktime 

c f n M / d • function [process, function [process -> Clocktime] -► Clocktimel = 

( A P^:[(V+1) + Vf))/2J) 

ft_mid J:rans_inv: Lemma cfn MID (p,( Xq : xJ(q) + AT)) = cfn MID {p,d) + X 

Proof 

add_assoc_hack: Lemma X + Y + Z + Y = (X + Z) + 2*Y 
add.assoc^hack.pr: Prove add_assoc_hack from *1 **2 {x 2, y <- K} 

ft_mid_trans_inv_pr: Prove ft_mid_trans_inv from 

c f n MID • 

c f n M id <- ( A q : d(q) + X)}, 
select_trans_inv {k <— F + 1}, 
selectmans inv {k <— TV — F}, 

add.assoc.hack {X «- Z - 0 (JV _ F) , y ♦_ X}, 

d.vMistrib {x - (tf (F+ l) + 0 (Ar _ F) ), y^2*X, z<-2}, 
div.cancel {x <— 2, y <— X}, 
ft_mid_maxfaults, 

floor^plusJnt {x <— x%>6/2, i <— X} 

End mid 
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C.3 mid2 

mid2: Module 

Using arith, clockassumptions, mid 
Exporting all with mid 
Theory 

Clocktime: Type is integer 

m,n,p,q,p\,qv Var process 

i,j,k,l: Var posint 

x, y, z, r, s, t: Var time 

D, X, Y, Z, R, S, T: Var Clocktime 

i 9,0,7: Var function[process — * Clocktime] 

ppred, ppredl, ppred2: Var function [process -*• bool] 

good-greater_Fl: Lemma 

count(ppred, N)>N-FD{3p : ppred(p) A 0(p) > t?(f+i)) 

goodJess.NF: Lemma 

count(ppred, N) > N - F D (Bp : ppred(p) A i9(p) < fyv-F)) 

Proof 

good_greater_Fl_pr: Prove goocLgreater_Fl {p <— p@p3} from 
count_geq -select {k <— F + 1}, 
ft_mid_maxfaults T 
count .exists 

{ppred <— ( A pi : ppredl@p4(pi) A ppred2@p4(pi)), 
n«- N}, 

pigeon-hole 

{ppredl <— ppred, 
ppred 2 <— (Api : i9(pi) > i?(f+i))< 

n <— N, 

k <- 1} 


102 



good_less_NF_pr: Prove good.less.NF {p p @ p 3} from 
count _leq_select {k <— N - F}, 
ft_mid_maxfaults, 
count_exists 

{ppred — ( A pi : ppredl@p4(pi) A ppred2@p4(pi)), 
n <— N}, 
pigeon_hole 

{ppredl <— ppred, 

ppred2<-(A Pl : # (Ar _ F) >t?( Pl )), 
n <— TV, 
k+- 1 } 

End mid2 
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C.4 mid3 

mid3: Module 

Using arith, clockassumptions, mid2 
Exporting all with mid2 
Theory 

Clocktime: Type is integer 

m,n,p,q,pi,qi: Var process 

i,j,k,l: Var posint 

x,y,z,r,s,t\ Var time 

D, X, Y, Z, R, S, T: Var Clocktime 

d, 0 , 7 : Var function [process — ♦ Clocktime] 

ppred, ppred 1, ppred2: Var function [process -*■ bool] 

ft_mid_Pi : function [Clocktime, Clocktime — > Clocktime] == 

(A X,Z : \Z/2 + X]) 

exchange_order: Lemma 
ppred (p) A ppred (q) 

A 6{q) < 9{p) A 7(p) < j(q) A okay_pairs(0, 7 , X, ppred) 

D 1 9(p) - 7(9)1 < X 

good_geq_F_addl: Lemma 

count(ppred ,N) > N - F D (Bp : ppred(p) A d{p) > $(F+i)) 

okay_pair_geq_F_addl: Lemma 

count(ppred, N) > N - F A okay_pairs(0, 7 , X, ppred) 

D (3pi,9l : 

ppred(pi) A 6{p\) > 0(f+i) 

A ppred(i 3 'i) A 7 (^ 1 ) > 7(F+i) A l^(Pi) — 7(9i)l ^ X) 

good -between: Lemma 
count(ppred, N) > N — F 

D ( 3p : ppred (p) A 7 (f+i) ^ 7 (p) A ®(p) ^ ®(JV-F)) 

ft_m id -precision -enhancement: Lemma 
count(ppred, N) > N — F 

A okay_pairs(0, 7 , X , ppred) 

A okay_Readpred( 6 >, Z, ppred) A okay_Readpred( 7 , Z, ppred) 

3 |c/n Af/£ >(p,0) - c/n M/D (g,7)| < fLmid_Pi(X, Z) 
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ft_mid_prec_enh-sym: Lemma 
count(ppred, N) > N — F 

A okay_pairs(0, 7, X, ppred) 

A okay_Readpred(#, Z, ppred) 

A okay_Readpred( 7 , Z, ppred) A (cfn MID (p, 0 ) > cJh MID (q, 7)) 
3 I cfn MID (p,e) - cfn M 1 D (q , 7 )| < ftmid.Pi (X,Z) 

ft_mid_eq: Lemma cou nt (ppred, TV) > N — F 
A okay_pairs((9, 7, X, ppred) 

A okay_Readpred(0, Z , ppred) 

A okay_Readpred(7, ppred) A (cfn MID (p,0) = cfn MID (q, 7)) 
D \ c f n MID(P, 0 ) ~ c fn MID (q,7)\ < ftmid.Pi (X,Z) 

ft_mid_prec_syml: Lemma 
count(ppred, N) > N — F 

A okay_pairs(0, 7, X , ppred) 

A okay-Readpred(0, Z, ppred) 

A okay_Readpred(7, Z, ppred) 

A ((^(F+i) + O(N-F)) > (7(F+l) + 7 (N-F))) 

D l(#(F+l) + 0{N-F)) ~ (7(F+1) + 7 (JV-F))I < z + 2 * X 

mid_gt_imp_sel_gt: Lemma 

( c f n Miv(p, 0 ) > c f n Ml d(.Qi 7)) 

15 ((^F+I) + ^(W_F)) > (7(F+1) + 7(A r-F))) 

okay_pairs_sym: Lemma 

okay-pairs(#, 7, X, ppred) D okay_pairs(7, 0, X, ppred) 

Proof 

ft_mid_prec_syml_pr: Prove ft_mid-prec_syml from 
good .between, 
okay-pair_geq_F_addl, 
good_less-NF {?? <— 7}, 
abs_geq 

{x *- ( 7 ( 9 , @ P 2) - j(p@p3)) + (0(p@pl) - 7 (p@pl)) 

+ (®(p i@p2) - 7(91 @p2)), 

V «- OV+i) + O(N-F)) ~ (7(F+l) + 7(A r-F))}. 

abs_plus 

{x «- ( 7 ( 9 l @p 2 ) - 7 (p@p 3 )) + (9(p@pl) - 7 (p@pl)), 

2/ ( 0 (pi@p 2 ) - 7( 9l @p2))}, 

abs.plus {x — (7( 9l @ P 2) - 7(p@p3)), y *- (9(p@pl) - 7 (p@pi))}, 
okay.pairs {7 *- 9 , 0 *- 7, x <- X, p 3 <- p@pl}, 
okay-Readpred {7 <- 7, y «- Z, l «- 9 i@ p 2, m «- p@p3}, 
distrib {x < — 1, 3 / <- 1, 2 <_ X}, 
mult.lident {x <— X} 
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mid_gt-imp_sel-gt_pr: Prove mid.gt.imp-seLgt from 
cfn MID {&+-0}. 

c f n MID P 

mult_div {x *— (9 (f+i) + 9( n~f))> V 2}, 

mult.div {x <— (7(F+i) + 7 (N-F))< V ^}. 

mult.floor_gt {x <- x@p3/2, y «- x@p4/2, z «- 2} 

ft.mid.eq.pr: Prove ft.mid.eq from 
count.exists {n < — N}, 
ft.mid.maxfaults, 

okay .pairs {7 <— 9, 0 <— 7, x *— X, pz *— p@pl}. 
okay.Readpred {7 +- 7. V «- 1 P®? 1 - m P®? 1 *' 

| * 1| {x < — c/^jU/D (Pi — c f n M I d{Qi 7)}' 

I * 1| {x <- 7(p@pl) - 7(p@pl)}, 

I ★ lj {x < — 0(p@pl) - 7(p@pl)}. 
ceil.defn {x «— Z/2 + X}, 
div.nonnegative {x *— Z, y <— 2} 

ft_mid.prec.enh_sym.pr: Prove ft_mid_prec_enh_sym from 

cfaMID {$ 0}' 

c f n MiD {#*-?’ p+-q}< 

div.minus.distrib 

{x <— (0(F+1) + O(N-F))’ 
y <- (7(F+l) + 1(N-F))< 

z*- 2}, 

abs.div 

{x <- (0(F+1) + 0(JV-F)) - (7(F+1) + 7(N-F)). 

w- 2}. 

ft.mid_prec_syml, 

mid-gt_imp-sel_gt, 

div.ineq 

{x ♦- |(0(F+1) + O(N-F)) - (7(F+1) + 7(W-F)}|. 
y * — Z ”b 2 ★ X , 
z 2 }, 

div_distrib {x <— Z, y <— 2* X, z 2}, 
div.cancel {x <— 2, y <— X}, 

abs_floor_subJloorJeq_ceil 

{x x@p3/2, 
y <— y@p3/2, 
z <-Z/2 + X} 

okay-pairs_sym_pr: Prove okay_pairs_sym from 
okay .pairs {7 <- 0, 0 +- 7. x<- X, pz <- P3@p2}, 
okay.pairs {7 <— 7, 0 0> x <— X}, 

abs.com {x <— 0(P3®p2). y <— 7(p3@p2)} 
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ft_mid.precisio„.enhancement_pr: Prove ft.mid^recision.enhancemeet from 
rt-rmd.prec_enh.sym, 
ft_mid_prec_enh_sym 
{p +- q@pl, 
q p@pl, 

6 <— 7@pl, 

7 «- 0@pl}, 
ft.mid.eq, 
okay_pairs_sym, 

abs.com {x «- cfn MID (p,9), y <- cfn MID (q , 7 )} 

okay.pair_geq_F_addl.pr: Prove 
okay_pair_geq_F_addl 

{p\ *- if ( 9(p@p2 ) > 6 »(p@pl)) 
then p@p 2 

el s if ( 7 (p@pl) > ■y(p@p2)) then p@pl else p@p3 
end if, 

qi «- if (0(p@p2) > 8(p@pl)) 

then p@p2 

elsif ( 7 (p@pl) > 7 (p@p 2 )) then p@pl else o @»3 
end if} from 
good_geq_F_addl {8 <- 0}, 
good_geq_F_addl {tf «- 7 }, 
exchange.order {p <— p@pl, q p@p 2 }, 
okay.pairs {7 «- 9, 0 «- 7t x «- X, p 3 L p@pl}, 
okay^pairs {7 «_ 9, 9 «_ 7 , x «_ x, p 3 <- p@p 2 }’ 

good_geq_F_addl_pr: Prove good_geq_F_addl {p«-p@pl} from 
count_exists 

{ppred <- ( A p : (( ppred l@p2)p) A ((ppred2@p2)p)), 
n <— N}, 
pigeon.hole 
{ n «- N, 
k <— l, 

ppred 1 <— ppred, 

ppred2-(Ap: l ?(p)> 1 ? (( ^ p3)) ) }i 
count.geq .select {k *- F + 1 }, 
ft.mid.maxfaults 
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good -between _pr: Prove good -between {p p@pl} from 
count-exists 

{ppred <- (Ap : ((ppredl@p2)p) A ((ppred2@p2)p)), 
n N }, 
pigeon-hole 
{n 1 V, 

/c < — 1 , 

ppred 1 *- ( Ap : ((ppredl@p3)p) A ((ppred2@p3)p)), 
ppred 2 <— ( A p : 0(p) > 0 ((fc@p 4 )))}' 
pigeon_hole 
{n - AT, 
fc fc@p5, 
ppredl <— ppred, 

ppred2 <— ( A p : 7((fc@p5)) > 7(P))}. 
count-geq -select {d *— 9, k *— N — F), 
count Jeq.select {$ <— 7, /c +— F + 1}, 

No-authentication 

exchange_order-pr: Prove exchange.order from 
okay_pairs {7 <— 6, 8 <— 7 , x <— X, P3 p}. 
okay.pairs {7 <— 8, 8 <— 7 , x <— X, P3 9 }. 
abs_geq {x <— (0(p) — 7(p))- V ^(p) ~ 7(?)}* 
abs_geq (x <— (7(9) - 0(9))- V 7 ( 9 ) — ^( p )}' 
abs_com {x <— 0 (g), p <— 7(9)}- 
abs-com {x <— 0 (p), y <— 7(9)} 

End mid3 
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C.5 mid4 

mid4: Module 


Using arith, clockassumptions, mid3 
Exporting all with clockassumptions, mid3 
Theory 

process: Type is nat 
Clocktime: Type is integer 
n iPi Q,Pu <7i : Var process 
hj, k: Var posint 
V'. z , r , f s, t: Var time 
D,X,Y,Z,R,S,T: Var Clockti me 

Var function [process Clocktime] 
ppred, ppredl, ppred2: Var function [process — » bool] 

ft^mid_accu racy_preservation : Lemma 
ppred (</) A countered, N) > N - F A okay_Readpred(i>, X, ppred) 

\ c f n M i d{p, — fl(q ) | < X 

ft.mid.less: Lemma cfn MID (p, tf) < tf (F+1) 
ft.mid.greater: Lemma c/h MrD (p,0) > tf (N _ F) 
abs_q_less: Lemma 

countfppred.JV) >N-Fd( 3 Pi : ppred( Pl ) A #(*) < c/n M , „&,«,)) 

abs^q^greater: Lemma 

count(ppred, N) > N - F D ( 3p, : ppred( Pl ) A i9( Pl ) > cfh MID (p,0)) 

ft.mid_bnd_by.good: Lemma 
count(ppred, N) > N - F 

D (3pi : ppred (pj) A \cfn MID (p, tf) _ tf( 9 )| < ^(p^) - $( 9 )|) 
maxfaults.lem: Lemma F + 1 < N — F 
ft .select: Lemma tf (F+1) > ti( N _ F) 

Proof 

ft_select_pr: Prove ft .select from 
select.ax {* ^ F + 1 . k «- N - F}, maxfaults.lem 

maxfaults.lem.pr: Prove maxfaults.lem from ft.mid.maxfaults 
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ft-mid-bnd.by-goocLpr: Prove 
ft.mid-bnd-by-good 

{ P1 - ( if cfn MID (pJ ) > HQ) then pi@pl else pi@p2 end if)} from 

abs-q-greater, 

abs-q_less, 

abs_com (x * — ^(y). V ^(Pi® c )}' 

abs_com (x <— $(y), V * c fnM 

abs_geq (x «- x@p3 - y@p3, y «- x@p4 - y@p4}, 

abs-geq {x <- i9(pi@c) - i?(y), y <- cfn MID {p, i?) - ■*?(?)} 

abs_qJess_pr: Prove abs_qJess {pi +-p@pl} from 
good Jess_NF, ft_mid-greater 

abs-q-greater.pr: Prove abs_q-greater {pi <-p@pl} from 
good-greater-Fl, ft_mid_less 

mult_hack: Lemma X + X = 2 ★ X 

mult-hack_pr: Prove mult-hack from *1 **2 {x <- 2, y *- X} 

ft-mid_less-pr: Prove ft-midJess from 

c f n MID ■ 

ft-select, 

div_ineq 

(x <— (#(F+1) + l^(A T-F))> 

y <— (#(f+u + ^(F+i))’ 

2^-2), 

div_cancel {x 2, y «— $(F+i)}' 
mult_hack (X «— (j^+i) } ■ 

floor-defn (x ♦- x@p3/2} 

ft_mid-greater-pr: Prove ft_mid_greater from 

cfnMID < 
ft -select, 
div-ineq 

{x <— (l ?(JV-F) + ^(Ar-F))- 
y <- (l?(F+l) + d(N-F))’ 

z 2}- 

div.cancel (x +— 2, y ♦— $(zv-F)l' 
mult_hack (X tf(N-F)}' 
floor.mon (x +— x@p3/2, y <— y@p3/2}, 
floorJnt (z <— X@p5} 

ft-mid-acc-pres-pr: Prove ft-mid-accuracy-preservation from 
ft-mid-bnd-by.good, 

okay-Readpred { 7 «- y «- X. I - Pi®pl. ™ 

End mid4 
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C.6 select _defs 

select.defs: Module 

Using arith, countmod, clockassumptions, clocksort 
Exporting all with clockassumptions 
Theory 

process. Type is nat 
Clocktime: Type is integer 
l, m, n, p, q: Var process 

Var function [process -► Clocktime] 
i,j, k: Var posint 
T,X,Y,Z: Var Clocktime 

" f unctlon [function [process -► Clocktime], posint — ► Clocktimel == 

( A ?9, i : tf(funsort(i?)(i))) 

select _tra ns Jnv: Lemma k<ND(Xq : t 9(q) + X) (fc) = + * 

select-existsl: Lemma i<N D (3 p: p< N A d{p) = d (i) ) 
select_exists2: Lemma p < N D ( 3 i : i < N A d(p) = 
select.ax: Lemma 1 < i A i < k A A: < N D ■&,.'> > 
count_geq_select: Lemma k < N D count((A p : d(p) > , 9 {k] ),N) > k 

countJeq_select: Lemma k < N D count((Ap : t? (fc) > 6(p)),N) > N - k + 1 

Proof 

select_trans_inv_pr: Prove select.transJnv from funsort_trans_inv 

select-existsl _pr: Prove select-existsl {p «- funsort(tf)(m from 
funsort_fun_l_l {j <— i} 

select_exists2_pr: Prove select-exists2 {i *- i@pl} f rom funsort_fun_onto 
select_ax_pr: Prove select.ax from funsort.ax {i «- i@ c> j *- jfc@ c } 
count_leq_select_pr: Prove count Jeq_select from cnt_sortJeq 
count_geq_select_pr: Prove count-geq -Select from cnt-sort-geq 
End select.defs 
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C.7 ft _mid -assume 

ft_micLassume: Module 
Using clockassumptions 
Exporting all with clockassumptions 

Theory 

ft.micLmaxfaults: Axiom N >2* F +1 
No.authentication: Axiom N > 3 * F -f 1 
Proof 

ft-mid-maxfaults_pr: Prove ft.mid_maxfaults from No-authentication 
End ft-mid -assume 
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C.8 clocksort 

clocksort: Module 
Using clockassumptions 
Exporting all with clockassumptions 
Theory 

l,m,n,p,q : Var process 
i,j, k: Var posint 
X,Y: Var Clocktime 

Var function [process — > Clocktime] 
funsort: function[function[process -> Clocktime] 

— > functionfposint — ♦ process]] 

(* clock readings can be sorted *) 

funsort.ax: Axiom i<jAj<ND (funsort (tf)(*)) > tf(funsort(i?)(j)) 
funsort_fund_l: Axiom 

* < N A j < N A funsort (t?)(i) = funsort (t?)(j) Di=j A funsort(??)(i) < N 
funsort.fun^onto: Axiom p < N D ( 3 i : i < N A funsort(0)(i) = p ) 
funsort_trans_inv: Axiom 

k< N D (t?(funsort(( A q : tffa) + *))(*)) = i?(funsort(i?)(Jfc))) 
cnt_sort_geq: Axiom k < N D count((Ap : 0(p) > 0(funsort(0)(fc))), TV) > jfc 
cnt_sort_leq: Axiom 

k < N D count(( A p : i?(funsort(i?)(fc)) > &(p)), N) > N - k + 1 

Proof 

End clocksort 
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Appendix D 
Utility Modules 


This appendix contains the Ehdm utility modules required for the clock synchroniza- 
tion proofs. Most of these were taken from Shankar’s theory (ref 10). The induction 
modules are from Rushby’s transient recovery verification (ref. 17). Module countmo 
was substantially changed in the course of this verification and is therefore much different 
from Shankar’s module countmod. Also, module floor _ceil added a number of useful prop- 
erties required to support the conversion of Clocktime from real to integer. In Shankar s 
presentation Clocktime ranged over the reals. 
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D.l multiplication 

multiplication: Module 
Exporting all 
Theory 

z , x i,y\,z\,X 2 ,y 2 , Z 2 '- Var number 

*1**2: function[number, number — + number] = {X x,y : (x * y)) 

mult Jdistrib: Lemma x*(y + z) = x *y + x*z 
mult_ldistrib_minus: Lemma x * (y — z) = x * y — x * z 
mult_rident: Lemma x * 1 = x 
muItJident: Lemma 1 *x = x 
distrib: Lemma (x-)-y}-kz = x-kz-\-y-kz 
distrib_minus: Lemma ( x-y)*z = x*z-y*z 
mult_non_neg: Axiom ((i > 0 Ai/ > 0) V (a; < 0 A j/ < 0)) « i*)/ > 0 
mult.pos: Axiom ((x > 0 A y > 0) V {x < 0 A y < 0)) <*> * * y > 0 
mult_com: Lemmai*j/ = j/*i 
pos_product: Lemma x>0Aj/>0Dx^j/> 0 
mult.leq: Lemma z>0Ax>yDx*z>y*z 
mult Jeq_2: Lemma z>0Ax>yZ)z*x> z*y 
muItJO. Axiom 0 * x = 0 
mult.gt: Lemma z>0Ax>yDx*z>y*z 
Proof 

mult_gt_pr: Prove mult_gt from 

mult_pos {x <— x — y, y <— z}, distrib_minus 

distrib_minus_pr: Prove distrib_minus from 
muItJdistrib.minus {x <— z, y <— x, z <— y}, 
mult_com {x <— x - y, y <— z], 
mulLcom {y <— z}, 
mult_com {x <— y, y <— z} 
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mult_leq.2_pr: Prove multJeq_2 from 

mult.ldistrib-minus {x <— 2 , y <— x, 2 <— y}, 
mult_non_neg {x <— z, y <— x - y} 

muItJeq.pr: Prove muItJeq from 

distrib.minus, mult.non.neg {x +- x - y, y <— 2 } 

mult.com.pr: Prove mult.com from *1 **2 , *1 **2 {x <- y, 

pos.product.pr: Prove pos.product from mult_non.neg 

mult-rident_proof: Prove mult.rident from *1**2 { V !} 

mult.lident.proof: Prove mult.lident from *1 ** 2 {x <— 1, y 

distrib.proof: Prove distrib from 

*1 **2 {x <— x + y, y +— z}' 

*1 * *2 {y « 2 } , 

*1 **2 {x <— y, y *— z} 

muItJdistrib.proof: Prove muItJdistrib from 

*1 * *2 {y <— y + 2 , x <— x}, *1 * *2 , *1 * *2 {y <— 2 } 

mult.ldistrib.minus.proof: Prove mult.ldistrib-minus from 
*1 **2 {y <— y - 2 , x <— x}, *1 **2 , *1 **2 {y +— 2 } 

End multiplication 
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D.2 division 

division: Module 

Using multiplication, absmod, floor _ceil 

Exporting all 

Theory 

x i 2/? 2 , X\ , yi, z\ , X 2 , ?/2) 22 : Var number 
mult_div_l: Axiom 2 ^ 0 D x * y/z = x * (y/z) 
multxiiv_2: Axiom 2 ^ 0 D x * y/z = (x/z) * y 
mult_div_3: Axiom z/OD ( 2 / 2 ) = 1 
mult.div: Lemma y ^ 0 D (x/y) * y = x 
div_cancel: Lemma 1 /OD 1 * y/x = y 
div distrib: Lemma z/0d((x + y)/z) = (x/z) + {y/z) 
ceiLmult div: Lemma y > 0 3 \x/y\ * y > x 
ceil_plus_mult_div: Lemma y > 0 D fx/y] + 1 * y > x 
div.nonnegative: Lemma x>0Aj/>0d (x/y) > 0 
div.minus.distrib: Lemma z ^ 0 D {x - y)/z = (x/z) - (y/z) 
divJneq: Lemma z>0Ax<yD (x/z) < (y/z) 
abs.div: Lemma y > 0 D |x/y| = |x|/y 
mult.minus. Lemma y/OD — (a: /y) = (—x/y) 
div_minus_l: Lemma y>0Ax<0D {x/y) < 0 
Proof 

div_nonnegative_pr: Prove div_nonnegative from 

mult_non_neg {x <- ( if y ^ 0 then (x/y) else 0 end if)}, mult_div 
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div_distrib-pr: Prove div.distrib from 
mult_div-l {x <— x + y, y +— li z *— z}, 
mult-rident {x 4 — x + y}, 
mult_div-l {x <— x, y <— 1, z *— z), 
mult-rident, 

mult-div-l {x <— y, y *— 1 . 2 z )< 

mult.rident {x 4— y}, 

distrib {z *- ( if z ^ 0 then (1/z) else 0 end if)} 

div.canceLpr: Prove div.cancel from 

mult-div-2 {z 4- x}, mult-div.3 {z - x}. mulUident {x 4 - y } 


mult_div_pr: Prove mult.div from 
mult-div.2 {z <- y}, mult.div-1 {z 


y}, mult_div_3 {z 4- y}, mult-rident 


abs-div-pr: Prove abs.div from 

| * 1| {x 4- ( if y ^ 0 then (x/y) else 0 end if)}, 

I * 1| - 

div.nonnegative, 

div_minus_l, 

mult-minus 


mult_minus-pr: Prove mult.minus from 

mult-div-l {x 4 1, y ♦ x, z ♦ y}, 

*1**2 (x < 1, y*~ x}< 

*1 * *2 {x 4 - - 1 , » 4- ( if y 0 then (x/y) else 1 end if)} 


div-minus-l-pr: Prove div.minus_l from 

mult.div, . 

pos-product (x 4 - ( if y ^ 0 then (x/y) else 0 end if), y - y) 

div_minus_distrib-pr. Prove div-minus_distrib from 
div-distrib {y <- -y}, mult-minus (x 4- y, y 4 - z} 


div_ineq_pr: Prove div_ineq from 
mult_div (y <— z}, 
mult-div {x 4— y, y 4 — z}, 
mult_gt 

{x 4- ( if z ± 0 then (x/z) else 0 end if), 
y ( if z ^ 0 then (y/z) else 0 end if)} 

ceiLplus-mult_div_proof: Prove ceiLplus-mult-div from 
ceil_mult_div, 

distrib 

{ x [■( if y ^ 0 then (x/y) else 0 end if)|, 

y * !, 

z 4- y}, 

mult Jident {x 4— y} 
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ceil_mult_div_proof: Prove ceiLmult_div from 
mult_div, 
mult Jeq 

i x f( if y # 0 then ( x/y ) else 0 end if)], 

V ( if y ^ 0 then (x/y) else 0 end if), 

* 2 /}. 

ceiLdefn {x «- ( if y ± 0 then (x/y) else 0 end if)} 
End division 
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D.3 absmod 

absmod: Module 
Using multiplication 
Exporting all 
Theory 

x,y, z,x\,yi,zi,X 2 ,y 2 ,Z 2 - Var number 
X: Var integer _ 

| ★ 1|: Definition function[number -» number] = 

( A x : ( if x < 0 then - x else x end if)) 
jabs: Definition function [integer -> integer] = . 

( A X : ( if X < 0 then - X else X end if)) 

iabs-is.abs. Lemma x = X D iabs(X) = |x| 

abs-main: Lemma |x| < z D (x < z V -x < z) 

abs_leq-0: Lemma \x - y\ < z 3 ( x ~ v) - 2 

abs-diff. Lemma \x - y\ < z {(x - y) < z\J {y - x) < z) 

abs.leq: Lemma |x| < z D (x < z V — x < z) 

abs.bnd: Lemma 0<zA0<xAx<zA0<yAy<zD|x-y|<2 

abs_l_bnd: Lemma \x-y\<zDx<y + z 
abs_2_bnd: Lemma \x-y\<zDx>y-z 
abs_3_bnd: Lemma x<y + zAx>y — zD\x — y\< z 
abs-drift: Lemma |x — y\ < z A |xi — x| < z\ D l^i - y\ < ~ + z \ 
abs-com: Lemma |x — y\ — \y ~~ x \ 


bs_d rift-2: Lemma , , 

x - y\ < z A |xi - x| < A |yi - y\ < *2 D |*i - l/il < 2 + 2 i + 


abs-geq: Lemma x > y A y > 0 D |x| > |y| 


abs_geO: Lemma x ^ 0 D |x| x 


abs.plus: Lemma |x + y\ < |x| + |y| 

abs_diff_3: Lemma x-y<zAy — x<zD\x-y\<^ 


Proof 
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iabs.pr: Prove iabs_is_abs from |*1| , iabs 

abs.plus.pr: Prove abs.plus from |*1| { x ^- x + y}, | * 1| , |*i| { x ^ y) 

abs_diff_3_pr: Prove abs_diff.3 from | * 1| {x *- x - y) 

abs_geO .proof: Prove abs.geO from | * 1| 

abs.geq.proof: Prove abs.geq from | * 1| , | * 1| {x y} 

abs_drift_2.proof: Prove abs_drift_2 from 
abs.drift, 

abs.drift {x <- y, y «- y lt z ^ z 2 , z\ <-z + z,} t 
abs.com {x <— jq } 

abs.com. proof: Prove abs.com from | * 1| {x «- (x - y)}, | * l| { x ( y _ ^ 
abs_drift_proof: Prove abs^drift from 


abs_l_bnd ; 



abs_l_bnd { x <- 

- Xi, y <- 

~ X, z *— 

abs_2_bnd, 



abs_2_bnd {x 

~ xi, y <- 

- X, z <— 

abs_3_bnd {x <- 

- X\, z *- 

- z 4- z\} 


abs_3_bnd_proof: Prove abs_3_bnd from | ★ 1| jx (x — y )} 
abs.mairuproof: Prove abs_main from | ★ 1| 
abs_leq_0_proof: Prove absJeq.O from | * 1 \ {x <- x - y] 
abs_diff_proof: Prove abs_diff from | ★ 1| [ x < — ( x - y)} 
absJeq_proof: Prove absJeq from |*1| 
abs_bnd_proof: Prove abs.bnd from | * 1| { x <— ( x __ y ^j 
abs_l_bnd_proof: Prove abs^l^bnd from | ★ 1| { x <— (x — y )} 
abs_2_bnd_proof: Prove abs_2_bnd from | ★ 1| {x <— (x — y)} 
End absmod 
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D.4 floor _ceil 

floor.ceil: Module 
Using multiplication, absmod 
Exporting all 
Theory 

i,j : Var integer 

x,y, z, x\,y\, zi, X 2 ,V 2 , z 2- Var number 
[*1"|: function[number — > int] 

ceil.defn: Axiom fx] > x A [x] - 1 < x 

1*1]: function[number — ► int] 

floor.defn: Axiom |_zj < x A |_xj + 1 > x 

ceiLgeq: Lemma fx] > x 

ceiLmon: Lemma x > y D \x] > \y] 

ceiIJnt: Lemma [i] = i 

floorJeq: Lemma |xj < x 

floor.mon: Lemma x < y D [x\ < |j/J 

floorJnt: Lemma [i\ = i 

ceiLplusJ: Lemma [’x’|+f>£ + fA|’x]+j-l<z + t 

ceiLplusJnt: Lemma [x] + t = [x + il 

int-plus-ceil: Lemma i + \x] = \i + ^1 

floor-plusJ: Lemma LxJ+i<z + iA[xJ+i + l>z + * 

floor_plus-int: Lemma “H * = j_x + fj 

neg-floor.eq.ceiLneg: Lemma ~[x\ = 

neg.ceiLeq Jloor.neg: Lemma - \x] = [-x\ 

ceiLsum: Lemma [x] 4- [y] < \x + y] + 1 

abs_ceil_sum: Lemma ||"x] + [Y|| < \ \ x + 2/11 + 

floor-sub-floor-leq-ceil: Lemma x - y < z D Lx] - [y\ < \z\ 

abs-floor_sub_floor.leq.ceil: Lemma |x — y\ < z D |[xj - [y\ \ < \z\ 
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floor_gt_imp_gt: Lemma [xj > [yj D x > y 

mult _floor_gt: Lemma 2>0A|xJ>Lj/JDx*2>?/*2: 

Proof 

mult Jloor_gt_pr: Prove muItJloor.gt from floor.gtJmp.gt, mult_gt 

floor -gt _imp_gt_pr: Prove floor _gt_imp_gt from 
floor _defn, floor.defn {x <- y } 

floor_sub_floor_leqxeil_pr: Prove floor_sub_floor_leq_ceil from 
floor _defn, floor.defn {x «- y}, ceiLdefn {x «- z j 

absJloor sub_floor_leq_ceil_pr: Prove absJloor_sub_floor_leq_ceil from 
floor.defn, 
floor_defn {x <— y}, 
ceiLdefn {x *— z}, 

I * 1| { x *- x - y}, 

I * 1 1 i x |*J - LyJ} 

int_plus_ceil_pr: Prove int_plus_ceil from ceil.plusJnt 
ceilgeq pr: Prove ceiLgeq from ceiLdefn 
ceiLmon.pr: Prove ceil.mon from ceiLdefn, ceiLdefn {x <- y } 
floor Jeq_pr: Prove floorJeq from floor_defn 

floor_mon_pr: Prove floor.mon from floor _defn, floor _defn {x <— y} 

ceiLeq.hack: Sublemma i>xAi-l<xAj>xAj-l<xDi=j 

ceil_eq_hack_pr: Prove ceiLeq.hack 

ceil_plus_i_pr: Prove ceil.plusJ from ceiLdefn 

ceil_plus_int_pr: Prove ceiLplusJnt from 
ceil_plus_i, 

ceiLdefn {x <— x + i}, 

ceil_eq_hack {x 4- x + i. * «- [ x ] + z, [x + z]} 
floor^eq.hack: Sublemma i<xAz + l>xAj<xAj-j-l>xDz=j 

floor_eq_hack_pr: Prove floor _eq_hack 
floor_plus_i_pr: Prove floor_plusJ from floor_defn 
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floor.plus.int.pr: Prove floor.plus.int from 
floor .plus.i, 

floor.defn {x <— x + i}, 

floor .eq.hack {x *— x 4- i, i *— L^-J + *• 3 L 2 - d" j 

neg-floor_eq.ceiLneg.pr: Prove neg.floor.eq.ceil.neg from 
floor _defn, ceil.defn {x * x} 

neg.ceil.eq .floor .neg.pr: Prove neg_ceil_eq.floor.neg from 
floor.defn {x * x}, ceil.defn 

ceil.sum.pr: Prove ceiLsum from 

ceil.defn {x — x + y}, ceil.defn {x «- y}, ceil.defn 

abs.ceil .sum.pr: Prove abs_ceil.sum from 

i*n r*i + M}- 

I * lj {x 4- fx 4- 3/1}. 
ceiLdefn {x <- X + y}, 
ceil.defn {x y } , 

ceiLdefn 

ceil.int.pr: Prove ceil-int from ceiLdefn {x <- i} 
floor.int.pr: Prove floor .int from floor.defn {x <— i} 
End floor .ceil 
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D.5 natinduction 

natinduction: Module 
Theory 

Var nat 

P, prop: Var function[nat -► bool] 

induction: Theorem (prop(O) A (V j : prop (j) D prop (j + 1))) D pr op(i) 

complete Jnduction: Theorem 

(Vr : (V j : j < i D p(j)) D p(f)) D ( Vn : p{n)) 

induction_m: Theorem 

p(m) A ( V i . i > m A p(i) D p(z + 1)) D ( V n : n > m D p(n)) 

limited_induction: Theorem 

(m < m, D p(m)) A ( V i : i > m A i < m, A p(i) D p(f + l)) 

D (V n : n > m A n < rrii D p(n)) 

Proof 

Using noetherian 

less: function[nat, nat -» bool] == ( A m, n : m < n) 

instance: Module is noetherianfnat, less] 
x: Var nat 

identity: function [nat -* nat] == ( A n : n) 

discharge: Prove well-founded {measure +— identity} 

complete_ind-pr: Prove complete-induction { i *— from 

general-induction {d <— n, d 2 <— j\ 

ind-proof: Prove induction {j <- pred(d,@pl)} from 
general-induction <— prop, d <- i, d 2 <- j} 

(* Subs titution for n in following could simply be n <- n-m 
but then the TCC would not be provable *) 

ind-m-proof: Prove induction_m {i *— j@pl + m} from 
induction 

{prop <- (Ax : p@c(x + m)), 

if n>rn then n -m else 0 end if} 

limited-proof: Prove limited-induction {i <— f@pl} from 
induction.m {p *- ( A x : x < m, D p@c(*))} 
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(* These results can also be proved the other way about but the 
TCCs are more complex *) 

alt_ind_m_proof : PROVE inductions U <- dl«pl + m - 1> FROM 
general .induct ion 
{d <- n - m, 

d2 <- i - m, 

p <- (LAMBDA x : p®c(x + m))> 

alt ind_proof: PROVE induction {i <- i®pl “ m®pl> FROM 

inductions {p <- (LAMBDA x : p«c(x - m)) , n <- n®c + m> 

*) 

End natinduction 
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D.6 noetherian 


noetherian: Module [dom: Type, <: function[dom, dom -> bool]] 
Assuming 

measure: Var function[dom — > nat] 
a, b: Var dom 

welLfounded. Formula (3 measure : a < b D measure(a) < measure(6)) 
Theory 

P,A,B: Var function[dom — > bool] 
d, di,d 2 : Var dom 

generaLinduction: Axiom 

( Vdj : (Vd 2 : d 2 < d\ D p{d 2 )) D p{d{)) D ( Vd : p{d)) 
d%,d±\ Var dom 

mod_induction: Theorem 

(Vd 3 ,d 4 : d 4 < d 3 D A(d 3 ) D A(d 4 )) 

A(Vdi : (Vd 2 :d 2 < d x D (A^) A B(d 2 ))) D B(dO) 
D(Vd:A(d)DB(d)) 

Proof 

mod_proof; Prove mod_induction 

{d\ cfi@pl t 
c/3 d\@pl } 

d 4 <- d 2 } from generaLinduction {p <— ( A d : 4(d) D £(d))} 

End noetherian 
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D.7 count mod 

countmod: Module 
Exporting all 
Theory 
h: Var int 

posint: Type from nat with (Aii : i\ >0) 
l,rn,n,p,q,pi,P2,Q\,Q2,P3,<l3- Var nat 
i,j, k: Var nat 
x,y,z,r,s,t: Var number 
X,Y, Z\ Var number 

ppred, ppredl, ppred2: Var function[nat — > bool] 
i?, 0 , 7 : Var function[nat —* number] 

countsize: function[function[nat — > bool], nat — *• nat] = ( A ppred, i . i ) 
count: Recursive function[function[nat — * bool], nat -> nat] = 

( A ppred, i : ( if i > 0 

then ( if ppred(i - 1) 

then 1 + (count(ppred, i - 1)) 
else count(ppred, i - 1) 
end if) 

else 0 

end if)) by countsize 

(* Count Complement was moved from ica3 *) 

count-complement: Lemma count((A<? : -.ppred(g)), n) = n~ count(ppred, n) 
count.exists: Lemma count(ppred, n) >0D(3p:p<nA ppred(p)) 
count-true: Lemma count(( A p : true),n) = n 
count-false: Lemma count(( A p : false), n) = 0 

imp-pred: function[function[nat — > bool], function [nat — > bool] — + bool] — 

(A ppredl, ppred2 : (Vp : ppredl(p) D ppred2(p))) 

imp_pred-lem: Lemma imp_pred(ppredl, ppred2) D (ppredl(p) D ppred2(p)) 

imp-pred-or: Lemma imp_pred(ppredl, ( A p : ppredl(p) V ppred2(p))) 

count-imp: Lemma imp_pred(ppredl, ppred2) 

D count(ppredl, n) < count(ppred2, n) 

count_or: Lemma count(ppredl, n) > k 

D coun t(( A p : ppredl (p) V ppred2(p)), n) > k 

count.boundedJmp: Lemma count(( Ap : p < n D ppred(p)),n) = count(ppred, n) 
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count _bounded_and: Lemma count(( Xp : p < n A ppred(p)), „) = countered, n) 
pigeon_hole: Lemma 

count(ppredl, n) + count(ppred2, n)>n + k 
D count(( A p : ppredl(p) A ppred2(p)), n) > k 

predl,pred2. Var function[nat — > bool] 


pred_extensionality: Axiom (Vp : predl(p) = pred2(p)) D predl = P red2 


(* these are in the theory section so the tcc module won’t 
nk_type: Type = Record n : nat, 

k : nat 

end record 

nk,nkl,nk2: Var nk_type 

nkJess: function[nk_type, nk_type — » bool] == 

( A nkl, nk2 : nkl.n + nkl.A; < nk2.n + nk2./c) 


complain *) 


Proof 


Using natinduction, noetherlan 

im P-pred_lem_pr: Prove imp.predJem from imp_pred {p <- p @ c } 

imp_pred_or_pr: Prove imp_pred_or from 
imp pred {ppred2 <- (Ap : ppredl(p) V ppred2(p))} 

countJmpO: Lemma 

imp_pred(ppredl, ppred2) D count(ppredl, 0) < count(ppred2, 0) 
count_imp_ind: Lemma 

(imp_pred(ppredl, ppred2) D count(ppredl, n) < count(ppred2, n)) 
D (imp_pred(ppredl,ppred2) 

D count(ppredl, n 4- 1) < count(ppred2, n + 1)) 

count JmpCLpr: Prove count_imp0 from 
count {i «- 0, ppred «- ppredl}, count {i 4- 0, ppred 4- ppred2} 

count_impJnd_pr: Prove count_impJnd from 
count {ppred <- ppredl, i «- n + 1), 
count {ppred ppred2, i «- n + 1}, 
imp.pred {p <— n } 
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countJmp-pr: Prove countJmp from 
induction 

^ Pr ° P (imp_pred(ppredl, ppred2) D count(ppredl,n) < count(ppred2, n))). 

i <— n@c}, 
countJmpO, 

count.impjnd {n <— j@pl} 

count_or_pr: Prove count_or from 

countJmp {ppred2 - ( A p : ppredl(p) V ppred2(p))}. .mp_pred-or 

count_boundedJmpO: Lemma 

fc > 0 D count((A p :p< k D ppred(p)),0) = count(ppred, 0) 

count_bounded_imp-ind: Lemma .. 

(fc > n D count(( A p : p<kD ppred(p)),n) = count(ppred,n)) 

^ count(( A p : p < k D ppred(p)), n + 1) = count(ppred,n + 1)) 

count-bounded -imp-k: Lemma .. 

(fc > n d count(( A p : p < fc D ppred(p)),n) = count(ppred, n)) 

count-bounded-impO-pr: Prove count_bounded_impO from 

count {i - 0}, count {ppred - ( Ap : p < fc D ppred(p)), t - 0} 

count-boundedJmpJnd-pr: Prove count_bounded_impJnd from 
count {i <— n + 1}, 

count {ppred <- ( Xp:p<kD ppred(p)), i «- n + 1} 

count-bounded _imp_k-pr: Prove count_bounded-imp-k from 
induction 

{ prop <-(An: , v v 

fc > n D count(( A p : p<kD ppred(p)),n) = count(ppred, n)) f 

i <— n}, 

count_bounded_impO, 

count-bounded-imp-ind {n <— j@pl} 

count-bounded-imp-pr: Prove count-bounded-imp from 
count-bounded _imp-k {fc <— n} 

count_bounded_andO: Lemma 

fc > 0 D count(( A p : P < fc a ppred(p)), 0) = count(ppred, 0) 

count_bounded_andJnd: Lemma 

(fc > n D count(( A p : p < fc A ppred(p)), n) = count(ppred, n)) 

D (fc ~D c + ount(( A p : p < fc A ppred(p)),n + 1) = countered, n + 1)) 
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count_bounded_ancLk: Lemma 

(k > n D count(( A p : p < k A ppred (p)), n ) = count(ppred, n)) 

count_bounded_andCLpr: Prove count_bounded_andO from 

count {i <— 0}, count {ppred <— (Xp : p < k A ppred(p)), z < — 0} 

count_bounded_and_ind_pr: Prove count_bounded_and_ind from 

count {i <— n + 1}, 

count {ppred ( Xp : p < k A ppred(p)), i <— n + 1} 

count-bounded_and_k_pr: Prove count_bounded_and_k from 
induction 

{prop <-(An: 

k > n D count(( A p : p < k A ppred (p)), n) = count(ppred, n)), 
i <— n}, 

count_bounded_andO, 
count_bounded_and_ind {n j@pl} 

count_bounded_and_pr: Prove count_bounded_and from 
count_bounded_and_k {A: <— n} 

count jfalse.pr: Prove count_false from 
count Jtrue, 

count_complement {ppred <— ( A p : true)}, 
pred_extensionality 

{predl <— ( A p : -itrue), 
pred2 <— ( A p : false)} 

ccO: Lemma count(( A q : -ippred (<?)), 0) = 0 — count(ppred, 0) 

cc_ind: Lemma (count(( A q : ->ppred(^)) 1 n) = n — count(ppred, n)) 

D (count(( A q : -ippred(qr)), n + 1) = n + 1 — count(ppred, n + 1)) 

ccO-pr: Prove ccO from 

count {ppred +— ( A q : ->ppred(g)) p i <— 0}, count {i <— 0} 
cc_ind_pr: Prove cc_ind from 

count {ppred <— ( A q : ->ppred(g)) ? i <— n + 1}, count {i <— n + 1} 

count_complement_pr: Prove count.complement from 
induction 

{prop <— ( A n : count(( A q : ^ppred (q)),n) = n — count(ppred, n)), 
i <— n}, 
ccO, 

ccJnd {n <— j@pl} 

instance: Module is noetherian[nk_type, nk_less] 
nk_measure: function[nk_type — ► nat] == ( A nkl : nkl.n + nkl.fc) 
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nk_well_founded: Prove well-founded {measure <— nk_measure} 

nk.ph.pred: function[function[nat — ► bool], function [nat — » bool], nk.type 

— *• bool] = 

( A ppredl, ppred2, nk : 

count(ppredl, nk.n) + count(ppred2, nk.n) > nk.n + nk.fc 
D count(( A p : ppredl(p) A ppred2(p)), nk.n) > nk.fc) 
nk-noeth_pred: function[function[nat — ► bool], functionfnat — ► bool], 

nk-type — ♦ bool] = 

( A ppredl, ppred2, nkl : 

(Vnk2 : nkJess(nk2, nkl) D nk-ph.pred(ppredl, ppred2, nk2))) 

ph.casel: Lemma count(( Ap : ppredl(p) A ppred2(p)), pred(n)) > fc 
D count(( Ap : ppredl(p) A ppred2(p)), n) > fc 

ph_casel-pr: Prove ph.casel from 

count {ppred ♦- (Ap : ppredl(p) A ppred2(p)), i <- n} 

ph_case2: Lemma count(ppredl, pred(n)) + count(ppred2, pred(n)) < pred(n) + fc 
A count(ppredl, n) + count(ppred2, n) > n + k 

Acount((Ap : ppredl(p) A ppred2(p)), pred(n)) > pred(fc) 

D count((Ap : ppredl(p) A ppred2(p)), n) > fc 

ph-case2a: Lemma count(ppredl, pred(n)) + count(ppred2, pred(n)) < pred(n) + fc 
A count(ppredl, n) + count(ppred2, n) > n + fc 
D ppredl(pred(n)) A ppred2(pred(n)) 

ph _case2b: Lemma n > 0 

A fc > 0 A count(ppredl, pred(n)) + count(ppred2, pred(n)) < pred(n) + fc 
A count(ppredl, n) + count(ppred2, n) >n + k 
D count(ppredl, pred(n)) + count(ppred2, pred(n)) > pred(n) + pred(fc) 

ph-case2a_pr: Prove ph_case2a from 

count {ppred <— ppredl, i <— n}, count {ppred <— ppred2, i <— n} 

ph_case2b_pr: Prove ph.case2b from 

count {ppred * — ppredl, i * — n}, count {ppred < — ppred2, i < n} 

ph_case2_pr: Prove ph_case2 from 

count {ppred <— ( Ap : ppredl(p) A ppred2(p)), i <— n), ph_case2a 

ph-caseO: Lemma (n = 0 V fc = 0) 

D (count(ppredl, n) + count(ppred2, n) > n + k 

D count((Ap : ppredl(p) A ppred2(p)), n) > fc) 

ph_case0n: Lemma (count(ppredl, 0) + count(ppred2, 0) > fc 
D count((Ap : ppred l(p) A ppred2(p)), 0) > fc) 
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ph_caseOn_pr: Prove ph_caseOn from 
count {ppred <— ppredl, i <— 0} t 
count {ppred <— ppred2, i <— 0}, 

count {ppred <— ( Xp : ppredl(p) A ppred2(p)), i <— 0} 

ph _case0k: Lemma count((Ap : ppredl(p) A ppred2 (p)),n) > 0 

ph_caseOk_pr: Prove ph_case0k from 

nat ^invariant {nat_var <— count(( A p : ppredl(p) A ppred2(p)),n)} 

ph_caseO_pr: Prove ph caseO from ph_case0n, ph_case0k 

nk_ph_expand: Lemma 

(Vn,fc: (count(ppredl, pred(n)) + count(ppred2, pred(n)) > pred(7i) + pred(fc) 
D count((Ap : ppredl(p) A ppred 2 (p)), pred(n)) > pred(fc)) 

A (count(ppredl, pred(n)) 4- count(ppred2, pred(n)) > pred(n) + fc 
D count(( A p : ppredl(p) A ppred2(p)) r pred(n)) > k) 

D (count(ppredl, n) + count(ppred2, n) > n + k 

D count(( A p : ppredl(/?) A ppred2(p)), n) > k)) 

nk_ph_expand_pr: Prove nk_ph_expand from 

ph^caseO, ph_casel T ph case2, ph_case2a, ph_case2b 

nk_ph_noeth_hyp: Lemma 

(Vnkl : nk_noeth_pred(ppredl, ppred2, nkl) 

D nk_ph..pred(ppredl, ppred2, nkl)) 

nk_ph_noeth_hyp_pr: Prove nk_ph_noeth_hyp from 
nk_ph_pred {nk nkl}, 

nk_noeth_pred {nk2 <— nkl with [(n) := pred(nkl.n)]}, 

nk.noeth^pred {nk2 <— nkl with [(n) := pred(nkl.n), (k) := pred(nkl.fc)]}, 

nk_ph_pred {nk <— nkl with [(n) := pred(nkl.n)]}, 

nk_ph_pred {nk <— nkl with [(n) := pred(nkl .n),(k) := pred(nkl.fc)]}, 

nk_ph_expand {n <— nkl.n, k <— nkl.fc}, 

ph.caseO {n <— nkl.n, k <— nkl.fc}, 

nat_invariant {nat_var <— nkl.n}, 

natJnvariant {nat var nkl.fc} 

nk_ph_!em: Lemma nk_ph.pred(ppredl, ppred2, nk) 

nk._phJem pr: Prove nk_ph Jem from 
generaLinduction 

{p <— ( A nk : nk_ph_pred(ppredl, ppred2, nk)), 
d ,2 <— nk2@p3, 
d <— nk^c}, 

nk_ph_noeth_hyp {nkl djQpl}, 
nk_noeth_pred {nkl di%?l} 
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pigeon-hole-pr: Prove pigeon_hole from 

nk_phJem {nk nk with [(n) := n@c, ( k ) := fc@c]}, 
nk_ph_pred {nk <— nk@pl} 

exists_less: function[function[nat — ► bool],nat — * bool] — 

( A ppred, n : ( 3 p : p < n A ppred(p))) 

count _exists_base: Lemma count(ppred, 0) > 0 D exists _less(ppred, 0) 

count_exists_base_pr: Prove count_exists_base from 
count { i *— 0}, existsJess {n <— 0} 

count.existsJnd: Lemma 

(count(ppred ,n) > 0 D exists_less(ppred, n)) 

D (count(ppred, n + 1) > 0 Z> exists_less(ppred, n + 1)) 

count_existsJnd_pr: Prove count _exists_ind from 
count {i <— n + 1}, 
existsJess, 

existsJess {n <— n + 1, p <— ( if ppred (n) then n else p@p2 end if)} 

count_exists_pr: Prove count.exists {p <— p@pA} from 
induction 

{prop <— ( An : count(ppred, n) > 0 D existsJess(ppred,n)), 
i n@c}, 
count_exists_base, 
count.existsJnd {n <— j 1 } , 
existsJess {n z@pl} 

count-base: Sublemma count(ppred, 0) = 0 

count_base_pr: Prove count.base from count {i 0} 

count_true_ind: Sublemma 

(count(( A p : true),n) = n) D count(( A p : true),n + 1) = n + 1 

count_trueJnd_pr: Prove count_true_ind from 
count {ppred <— ( A p : true), i <— n + 1} 

count-true_pr: Prove count-true from 

induction {prop <— ( A n : count(( A p : true), n) — n), i «- n@c}, 
count-base {ppred <— ( A p : true)}, 
count -true_ind {n j@pl} 

End countmod 


134 


References 


[1] Lamport, Leslie; and Melliar-Smith, P. M.: Synchronizing Clocks in the Presence of 
Faults. J. Assoc. Comput. Mach., vol. 32, no. 1, Jan. 1985, pp. 52-78. 

[2] Welch, Jennifer Lundelius; and Lynch, Nancy: A New Fault-Tolerant Algorithm for 
Clock Synchronization. Inf. & Comput., vol. 77, no. 1, Apr. 1988, pp. 1-36. 

[3] Dolev , Danny; Halpern, Joseph Y.; and Strong, H. Raymond: On the Possibility and 
Impossibility of Achieving Clock Synchronization. J. Comput. & Syst. Sci., vol. 32, 
1986, pp. 230-250. 

[4] Halpern, Joseph Y.; Simons, Barbara; Strong, Ray; and Dolev, Danny: Fault- 

Tolerant Clock Synchonization. Proceedings of the Third ACM Symposium on Prin- 
ciples of Distributed Computing , Assoc, for Computing Machinery, 1984, pp. 89-102. 

[5] Dolev, Danny; Lynch, Nancy A.; Pinter, Shlomit S.; Stark, Eugene W.; and Weihl, 
William E.: Reaching Approximate Agreement in the Presence of Faults. J. Assoc. 
Comput. Mach., vol. 33, no. 3, July 1986, pp. 499-516. 

[6] Srikanth, T. K.; and Toueg, Sam: Optimal Clock Synchronization. J. Assoc. Comput. 
Mach., vol. 34, no. 3, July 1987, pp. 626-645. 

[7] Mahaney, Stephen R.; and Schneider, Fred B.: Inexact Agreement: Accuracy, Pre- 
cision, and Graceful Degradation. TR 85-683, Cornell Univ., May 1985. (Presented 
at 4th ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing 
(Ontario, Canada), Aug. 1985.) 

[8] Ramanathan, Parameswaran; Shin, Kang G.; and Butler, Ricky W.: Fault-Tolerant 
Clock Synchronization in Distributed Systems. Computer , vol. 23, no. 10, Oct. 1990, 
pp. 33-42. 

[9] Schneider, Fred B.: Understanding Protocols for Byzantine Clock Synchronization. 

Tech. Rep. 87-859 (NSF Grant DCR-8320274 and Office of Naval Research Contract 
N00014-86-K-0092), Cornell Univ., Aug. 1987. 

[10] Shankar, Natarajan: Mechanical Verification of a Schematic Byzantine Clock 

Synchronization Algorithm. NASA CR-4386, 1991. 

[11] Rushby, John; Von Henke, Friedrich; and Owre, Sam: An Introduction to For- 

mal Specification and Verification Using Ehdm. SRI-CSL-91-02, SRI International, 
Feb. 1991. 


135 



[12] Lamport, Leslie; Shostak, Robert; and Pease, Marshall: The Byzantine Generals 

Problem. ACM Trans. Program. Lang. & Syst., vol. 4, no. 3, July 1982, pp. 382-401. 

[13] Mackall, Dale A.: Development and Flight Test Experiences With a Flight- Crucial 

Digital Control System. NASA TP-2857, 1988. 

[14] System Design and Analysis. AC No. 25.1309-lA, Federal Aviation Adm., 
June 21, 1988. 

[15] DiVito, Ben L.; Butler, Ricky W.; and Caldwell, James L.: Formal Design and Veri- 
fication of a Reliable Computing Platform for Real-Time Controls, Phase 1: Results. 
NASA TM- 102716, 1990. 

[16] Butler, Ricky W.; and DiVito, Ben L.: Formal Design and Verification of a Reliable 
Computing Platform for Real-Time Control, Phase 2: Results. NASA TM-104196, 
1992. 

[17] Rushby, John: Formal Specification and Verification of a Fault-Masking and 

Transient- Recovery Model for Digital Flight- Control Systems. NASA CR-4384, 1991. 

[18] Rushby, John; and von Henke, Friedrich: Formal Verification of a Fault. Tolerant 

Clock Synchronization Algorithm. NASA CR-4239, 1989. 

[19] Gouda, Mohamed G.; and Multari, Nicholas J.: Stabilizing Communication 

Protocols. IEEE Trans. Comput., vol. 40, no. 4, Apr. 1991, pp. 448-458. 

[20] Kieckhafer, Roger M.; Walter, Chris J.; Finn, Alan M.; and Thambidurai, Philip M.: 
The MAFT Architecture for Distributed Fault Tolerance. IEEE Trans. Comput ., 
vol. 37, no. 4, Apr. 1988, pp. 398-405. 

[21] Miner, Paul S.: A Verified Design of a Fault-Tolerant Clock Synchronization Circuit: 

Preliminary Investigations. NASA TM-107568, 1992. 

[22] Barendregt, H. P.: The Lambda Calculus— Its Syntax and Semantics, Revised ed. 

Elsevier Science Publ. Co., 1984. 

[23] Miner, Paul S.: An Extension to Schneider’s General Paradigm for Fault- Tolerant 

Clock Synchronization. NASA TM-107634, 1992. 

[24] Miner, Paul S.; Padilla, Peter A.; and Torres, Wilfredo: A Provably Correct Design of 
a Fault- Tolerant Clock Synchronization Circuit. Proceedings IEEE/AIAA 11th Digital 
Avionics Systems Conference, IEEE Catalog No. 92CH3212-8, Inst, of Electrical and 
Electronics Engineers, Inc., 1992, pp. 341-346. 

[25] Moore, J. Strother: A Formal Model of Asynchronous Communication and Its Use 
in Mechanically Verifying a Biphase Mark Protocol. NASA CR-4433, 1992. 

[26] Srivas, Mandayam; and Bickford, Mark: Verification of the FtCayuga Fault- 

Tolerant- Microprocessor System. Volume 1 : A Case Study in Theorem Prover- Based 
Verification. NASA CR-4381, 1991. 


136 



[27] Bevier, William R.; and Young, William D.: Machine Checked Proofs of the Design 
and Implementation of a Fault- Tolerant Circuit. NASA CR-182099, 1990 


137 


REPORT DOCUMENTATION PAGE 


Form Approved 
OMB No. 0704-0188 


Pub^c .eating °\ he \2iTjlff^.n 

gathering and maintaining the data needed and completing and ' e ^’ ewing t ^. Headquarters Services. Directorate for Information Operations and Reports 1215 Jefferson 

proiMt (o7o4oi88 ) ' washinBton - DC 20503 ' — 

1. AGENCY USE ONtYfteave b/ankj I 2. REPORT 5Z7I I 3 . REPORT TYPE A N° DATE 5 C °V E R ED 

N ovember 1993 | Technical Paper 

* I 5. FUNDING NUMBERS 

4. TITLE AND SUBTITLE I 

Verification ot Fault-Tolerant Clock Synchronization Systems I ^ 5Q5 64 5t>03 


6. AUTHOR(S) 

Paul S. Miner 


PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 

NASA Langley Research Center 
Hampton, VA 23681-0001 


8. PERFORMING ORGANIZATION 
REPORT NUMBER 

L- 17209 


9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 

National Aeronautics and Space Administration 
Washington, DC 20546-0001 


10. SPONSORING/MONITORING 
AGENCY REPORT NUMBER 

NASA TP-3349 


11. SUPPLEMENTARY NOTES 

VA 1992 — 1 

■ ' p. .r«|Y 12b. DISTRIBUTION CODE 

12a. DISTRIBUTION/AVAILABILITY STATEMENT 

Unclassified-Unlimited 

Subject Category 62 

th^possibfiity of^ubtk fn^^ti^s tav^dn^faMed^om^onOTt^Therefor^ mecl^mc^^roof^st^ms are^ed 

with the verification of an abstract design of a clock synchronization system. 


— - — — — — ^ 15. NUMBER OF PAGES 

Fault tolerance; Clock synchronization; Formal methods; Mechanized proof, 142 

rr, . , r u 16. PRICE CODE 

Transient faults 

" s c ^ t class,f,cat,on 

Unclassified Unclassified I 


OF REPORT 

Unclassified 


tandard Form 29b(Kev. _ 

Prescribed by ANSI Std, Z39-18 
298*102 


